CVE-2024-11202

EPSS 1.64%
Veröffentlicht 26.11.2024 08:15:03
Zuletzt bearbeitet 26.11.2024 08:15:03
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode

Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Mögliche Gegenmaßnahme

CM Business Directory – Optimise and showcase local business: Update to version 1.4.2, or a newer patched version

CM E-Mail Blacklist – Simple email filtering for safer registration: Update to version 1.5.4, or a newer patched version

CM Header and Footer – Add custom scripts and styles to your header and footer with ease: Update to version 1.2.2, or a newer patched version

CM Search And Replace – Optimize content edits with a powerful search and replace tool: Update to version 1.4.3, or a newer patched version

CM Pop-Up – Create engaging popups to capture attention and boost interaction: Update to version 1.7.6, or a newer patched version

CM Video Lessons Manager – Simplify video lessons management for better education: Update to version 1.8.3, or a newer patched version

CM Tooltip Glossary: Update to version 4.3.12, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 20

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt CM Business Directory – Optimise and showcase local business

Version *-1.4.1

SystemWordPress Plugin

≫

Produkt CM E-Mail Blacklist – Simple email filtering for safer registration

Version *-1.5.3

SystemWordPress Plugin

≫

Produkt CM Header and Footer – Add custom scripts and styles to your header and footer with ease

Version *-1.2.1

SystemWordPress Plugin

≫

Produkt CM Search And Replace – Optimize content edits with a powerful search and replace tool

Version *-1.4.2

SystemWordPress Plugin

≫

Produkt CM Pop-Up – Create engaging popups to capture attention and boost interaction

Version *-1.7.5

SystemWordPress Plugin

≫

Produkt CM Video Lessons Manager – Simplify video lessons management for better education

Version *-1.8.2

SystemWordPress Plugin

≫

Produkt CM Tooltip Glossary

Version *-4.3.11

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellercreativemindssolutions

≫

Produkt CM WordPress Search And Replace Plugin

Default Statusunaffected

Version <= 1.4.2

Version *

Status affected

Herstellercreativemindssolutions

≫

Produkt Video Lessons Manager – WordPress LMS Plugin

Default Statusunaffected

Version <= 1.8.2

Version *

Status affected

Herstellercreativemindssolutions

≫

Produkt CM Tooltip Glossary

Default Statusunaffected

Version <= 4.3.11

Version *

Status affected

Herstellercreativemindssolutions

≫

Produkt CM Pop-Up Banners for WordPress

Default Statusunaffected

Version <= 1.7.5

Version *

Status affected

Herstellercreativemindssolutions

≫

Produkt CM Header & Footer Script Loader – Insert Script Plugin

Default Statusunaffected

Version <= 1.2.1

Version *

Status affected

Herstellercreativemindssolutions

≫

Produkt Name: CM E-Mail Registration Blacklist

Default Statusunaffected

Version <= 1.5.3

Version *

Status affected

Herstellercreativemindssolutions

≫

Produkt CM Business Directory Plugin – Business Listing Directory

Default Statusunaffected

Version <= 1.4.1

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.64%	0.816

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/package/cminds-free.php#L1465

https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/package/cminds-free.php#L1465

https://plugins.trac.wordpress.org/browser/cm-header-footer-script-loader/trunk/package/cminds-free.php#L1465

https://plugins.trac.wordpress.org/browser/cm-on-demand-search-and-replace/trunk/package/cminds-free.php#L1469

https://plugins.trac.wordpress.org/browser/cm-pop-up-banners/trunk/package/cminds-free.php#L1471

https://plugins.trac.wordpress.org/browser/cm-video-lesson-manager/trunk/package/cminds-free.php#L1465

https://plugins.trac.wordpress.org/browser/enhanced-tooltipglossary/trunk/package/cminds-free.php#L1465

https://plugins.trac.wordpress.org/changeset/3191536/

https://plugins.trac.wordpress.org/changeset/3192354/

https://plugins.trac.wordpress.org/changeset/3192381/

https://plugins.trac.wordpress.org/changeset/3192416/

https://plugins.trac.wordpress.org/changeset/3192808/