CVE-2024-10510: Stored XSS in adBuddy+ WordPress Plugin

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: adBuddy+ (AdBlocker Detection) by NetfunkDesign 2. Plugin Version: <= 1.1.3 3. Vulnerability Type: Admin+ Stored XSS 4. Description: The plugin does not sanitize or escape certain settings, allowing high-privilege users (such as administrators) to execute stored cross-site scripting attacks even when the capability is disabled. 5. PoC: By adding the payload in the Custom Title and/or Button Label fields and saving, the XSS attack will be executed. 6. Affected Plugin: adbuddy-adblocker-detection 7. CVE ID: CVE-2024-10510 8. Classification: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 - CVSS Score: 3.5 (low) 9. Original Researcher: Vuln Seeker Cybersecurity Team 10. Submitter: Vuln Seeker Cybersecurity Team 11. Submitter Website: https://vulnseeker.org 12. Verification Status: Yes 13. WPVDB ID: ca499752-b516-42e7-8c2f-18e4428a92c7 14. Public Release Date: 2024-11-07 15. Added Date: 2024-11-07 16. Last Updated Date: 2024-11-07 17. Others: - WordPress-to-Lead for Salesforce CRM 1.0.1 - salesforce.php salesforce_form_shortcode Function Error Message Handling XSS - Liveforms < 3.4.0 - XSS - Seos Contact Form <= 1.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting - Simple Image Popup < 2.0.0 - Admin+ Stored XSS - Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting This information provides a detailed description of the plugin vulnerability and its scope of impact.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-10510: Stored XSS in adBuddy+ WordPress Plugin

More from this source