CVE-2024-6494 WordPress File Upload < 4.24.8 - Unauthenticated Stored XSS

2024-08-0706:00:06

WPScan

github.com

wordpress

file upload

xss

unauthenticated

vulnerability

AI Score

Confidence

High

EPSS

Percentile

9.5%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WordPress File Upload",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "4.24.8"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:wordpress_file_upload_project:wordpress_file_upload:*:-:-:*:-:wordpress:*:*"
    ],
    "vendor": "wordpress_file_upload_project",
    "product": "wordpress_file_upload",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.24.8",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]