Lucene search
Bob MatyasWPEX-ID:88162016-9FC7-4194-9E81-44C50991F6E9HistoryMay 02, 2024 - 12:00 a.m.
Pet Manager <= 1.4 - Reflected XSS
2024-05-0200:00:00
Bob Matyas
26
security update
cross-site scripting
pet manager
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
1. Add a pet and publish the listing
2. View the pet on the frontend of the site and get a valid post id (found on the `<body>` element as a class (i.e. `postid-9`)
3. Make a logged in admin open a link: `https://example.com/wp-admin/post.php?post=__POST_ID__HERE__&action=edit&cmb_force_send=true&cmb_send_label=test%27%29%3B%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E`
4. See the XSSRelated
vulnrichment
vulnrichment
CVE-2024-3917 Pet Manager <= 1.4 - Reflected XSS
2024-05-23 06:00:02
cvelist
cvelist
CVE-2024-3917 Pet Manager <= 1.4 - Reflected XSS
2024-05-23 06:00:02
cve
cve
CVE-2024-3917
2024-05-23 06:15:10
nvd
nvd
CVE-2024-3917
2024-05-23 06:15:10
wpvulndb
wpvulndb
Pet Manager <= 1.4 - Reflected XSS
2024-05-02 00:00:00
wordfence
wordfence
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:88162016-9FC7-4194-9E81-44C50991F6E9