exploitDog

CVE-2024-3886

Опубликовано: 31 авг. 2024

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Ссылки

https://tagdiv.com/newspaper/
Not Applicable
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed9db9c1-c6b5-459e-9820-ec4ee47b244e?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:tagdiv:tagdiv_composer:*:*:*:*:*:wordpress:*:*

Версия до 5.1 (исключая)

EPSS

Процентиль: 76%

0.00969

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-gg9v-hmq9-q2qr

CVSS3: 6.1

github

больше 1 года назад

The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

EPSS

Процентиль: 76%

0.00969

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79