4.7
CVE-2024-2428
- EPSS 0.5%
- Veröffentlicht 10.04.2024 05:15:49
- Zuletzt bearbeitet 08.05.2025 21:13:34
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginThe Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS
The Ultimate Video Player For WordPress <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks
Mögliche Gegenmaßnahme
Presto Player: Update to version 2.2.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Prestoplayer ≫ Presto Player SwPlatformwordpress Version < 2.2.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Presto Player
Version
*-2.2.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.5% | 0.385 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 4.7 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://wpscan.com/vulnerability/4832e223-4571-4b45-97db-2fd403797c49/
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4250395-3709-47cd-86d4-e6a1fec10298