关键信息 漏洞描述 漏洞名称: WP Ulike < 4.7.6 - Admin+ Stored XSS 描述: 插件未对某些设置进行清理和转义,允许高权限用户(如管理员)执行存储型跨站脚本攻击,即使在多站点设置中禁用了 功能。 影响的插件 插件名称: wp-ulike 修复版本: 4.7.6 参考资料 CVE编号: CVE-2024-12770 URL: https://research.cleantalk.org/cve-2024-12770 分类 类型: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE编号: CWE-79 CVSS评分: 3.5 (低) 其他信息 原始研究员: Dmitriy Ignatyev 提交者: Dmitriy Ignatyev 提交者网站: https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/ 验证状态: Yes WPVDB ID: e21f6a4e-f385-411b-8d91-0f38f9e6cdd3 时间线 公开发布日期: 2024-11-19 添加日期: 2025-01-23 最后更新日期: 2025-02-12 其他相关漏洞 Gutena Kit – Gutenberg Blocks and Templates <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) ARPrice <= 4.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Advanced Woo Search < 3.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via aws_search_terms Shortcode