CVE-2024-3963 RafflePress Lite < 1.12.14 - Editor+ Stored XSS

2024-07-1306:00:05

WPScan

github.com

cve-2024-3963

rafflepress lite

editor+

stored xss

giveaways and contests

wordpress plugin

cross-site scripting attacks

AI Score

6.1

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Giveaways and Contests by RafflePress WordPress plugin before 1.12.14 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:rafflepress:giveaways_and_contests_by_rafflepress:*:*:*:*:*:wordpress:*:*"
    ],
    "vendor": "rafflepress",
    "product": "giveaways_and_contests_by_rafflepress",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.12.14",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]