CVE-2024-8051 Special Feed Items <= 1.0.1 - Stored XSS via CSRF

2024-09-1706:00:05

WPScan

github.com

cve-2024-8051; special feed items; stored xss; csrf; wordpress plugin; sanitisation; escaping; admin privilege; attackers

EPSS

Percentile

14.7%

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:wordpress_plugin:special_feed_items:*:*:*:*:*:*:*:*"
    ],
    "vendor": "wordpress_plugin",
    "product": "special_feed_items",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "1.0.1"
      }
    ],
    "defaultStatus": "unknown"
  }
]