WordPress Logo Slider < 4.5.0 Stored XSS Vulnerability (CVE-2024-10896)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: Logo Slider < 4.5.0 2. Vulnerability Type: Contributor+ Stored XSS 3. Description: The plugin does not sanitize or escape Logo and Slider settings, allowing high-privilege users (such as Contributors) to perform stored cross-site scripting attacks. 4. Fixed Versions: - 4.1.0: Create a Logo, change the "Brand Name" field to "123" and set it to - 4.5.0: Create a new Logo Slider, set the "Logo Image Height" or "Logo Image Width" field to "123" and set it to 5. Affected Plugin: logo-slider-wp 6. CVE ID: CVE-2024-10896 7. URL: https://research.cleantalk.org/cve-2024-10896/ 8. Classification: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 - CVSS Score: 5.9 (Medium) 9. Original Researcher: Dmitrii Ignatyev 10. Submitter: Dmitrii Ignatyev 11. Submitter Website: https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/ 12. Verification Status: Yes 13. WPVDB ID: 1304c2b6-922d-455e-bae8-d6bf855eddd9 14. Release Date: 2024-11-07 15. Added Date: 2024-11-07 16. Updated Date: 2024-11-07 17. Other Related Vulnerabilities: - 2024-11-18: Ashe < 2.244 - Reflected Cross-Site Scripting via add_query_arg Parameter - 2021-06-21: myStickymenu < 2.5.2 - Authenticated Stored XSS - 2021-07-14: Forminator < 1.14.12 - Unauthenticated Stored XSS - 2024-04-15: Real Media Library < 4.11.12 - Authenticated (Author+) Stored Cross-Site Scripting - 2015-09-15: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS) This information helps users understand the vulnerability details, affected scope, and how to remediate it.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Logo Slider < 4.5.0 Stored XSS Vulnerability (CVE-2024-10896)

More from this source