CVE-2024-4977 Index WP MySQL For Speed < 1.4.18 - Admin+ Reflected XSS

2024-07-1306:00:06

WPScan

github.com

cve-2024-4977

wordpress

xss

reflected cross-site scripting

security vulnerability

admin user

AI Score

6.1

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Index WP MySQL For Speed WordPress plugin before 1.4.18 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:anynines:mysql:-:*:*:*:*:pivotal_cloud_foundry:*:*"
    ],
    "vendor": "anynines",
    "product": "mysql",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.4.18",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]