WordPress Plugin WP Admin UI Customize Stored XSS Vulnerability (CVE-2024-53278)

Key Information 1. Vulnerability ID: - JVN#87182660 2. Vulnerability Name: - WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting 3. Affected Products: - WP Admin UI Customize versions prior to ver 1.5.14 4. Description: - WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79). 5. Impact: - If a malicious administrator customizes the admin screen with malicious content, arbitrary scripts may be executed in the browsers of other users accessing the admin screen. 6. Solution: - Update the plugin - Update the plugin to the version provided by the developer. - The developer has released the following version to address this vulnerability: - WP Admin UI Customize ver 1.5.14 7. Vendor Status: - gqevu6bsiz - WP Admin UI Customize - WP Admin UI Customize Update (1.5.14) (Text in Japanese) 8. References: - JPCERT/CC Addendum 9. CVSS Score: - CVSS v3: 3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - Base Score: 4.8 10. Credit: - Ibuki Sato reported this vulnerability to IPA. - JPCERT/CC coordinated with the developer under the Information Security Early Warning Partnership. 11. Additional Information: - JPCERT Alert - JPCERT Reports - CERT Advisory - CPNI Advisory - TRnotes - CVE: CVE-2024-53278 - JVN iPedia: JVNDB-2024-000121 Summary This vulnerability is a cross-site scripting (XSS) flaw in the WordPress plugin "WP Admin UI Customize", affecting versions prior to 1.5.14. Updating to version 1.5.14 resolves the issue.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Plugin WP Admin UI Customize Stored XSS Vulnerability (CVE-2024-53278)