6.4
CVE-2024-5020
- EPSS 0.21%
- Veröffentlicht 04.12.2024 09:15:04
- Zuletzt bearbeitet 04.12.2024 09:15:04
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
Thumbnail Slider With Lightbox <= 1.0.21 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Mögliche Gegenmaßnahme
Accordion Slider: Update to version 1.9.13, or a newer patched version
Colibri Page Builder: Update to version 1.0.288, or a newer patched version
Easy Social Feed Premium: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Firelight Lightbox: Update to version 2.3.4, or a newer patched version
Gallery Plugin for WordPress – Envira Photo Gallery: Update to version 1.8.16, or a newer patched version
FancyBox for WordPress: Update to version 3.3.5, or a newer patched version
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder: Update to version 1.15.28, or a newer patched version
FV Flowplayer Video Player: Update to version 7.5.48.7212, or a newer patched version
Getwid – Gutenberg Blocks: Update to version 2.0.12, or a newer patched version
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery: Update to version 3.59.5, or a newer patched version
Responsive Lightbox & Gallery: Update to version 2.4.9, or a newer patched version
Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates: Update to version 4.3.2, or a newer patched version
Visual Portfolio, Photo Gallery & Post Grid: Update to version 3.3.10, or a newer patched version
WPC Smart Quick View for WooCommerce: Update to version 4.1.2, or a newer patched version
Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel: Update to version 2.6.9, or a newer patched version
Thumbnail Slider With Lightbox: Update to version 1.0.22, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Accordion Slider
Version
* - 1.9.12
SystemWordPress Plugin
≫
Produkt
Colibri Page Builder
Version
* - 1.0.286
SystemWordPress Plugin
≫
Produkt
Easy Social Feed Premium
Version
* - 6.6.2
SystemWordPress Plugin
≫
Produkt
Firelight Lightbox
Version
* - 2.3.3
SystemWordPress Plugin
≫
Produkt
Gallery Plugin for WordPress – Envira Photo Gallery
Version
* - 1.8.15
SystemWordPress Plugin
≫
Produkt
FancyBox for WordPress
Version
* - 3.3.4
SystemWordPress Plugin
≫
Produkt
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Version
* - 1.15.27
SystemWordPress Plugin
≫
Produkt
FV Flowplayer Video Player
Version
* - 7.5.47.7212
SystemWordPress Plugin
≫
Produkt
Getwid – Gutenberg Blocks
Version
* - 2.0.11
SystemWordPress Plugin
≫
Produkt
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Version
* - 3.59.4
SystemWordPress Plugin
≫
Produkt
Responsive Lightbox & Gallery
Version
* - 2.4.8
SystemWordPress Plugin
≫
Produkt
Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates
Version
* - 4.3.1
SystemWordPress Plugin
≫
Produkt
Visual Portfolio, Photo Gallery & Post Grid
Version
* - 3.3.9
SystemWordPress Plugin
≫
Produkt
WPC Smart Quick View for WooCommerce
Version
* - 4.1.1
SystemWordPress Plugin
≫
Produkt
Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel
Version
* - 2.6.8
SystemWordPress Plugin
≫
Produkt
Thumbnail Slider With Lightbox
Version
* - 1.0.21
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerextendthemes
≫
Produkt
Colibri Page Builder
Default Statusunaffected
Version <=
1.0.286
Version
*
Status
affected
Herstellersmub
≫
Produkt
Gallery Plugin for WordPress – Envira Photo Gallery
Default Statusunaffected
Version <=
1.8.15
Version
*
Status
affected
Herstellerbqworks
≫
Produkt
Accordion Slider
Default Statusunaffected
Version <=
1.9.12
Version
*
Status
affected
Hersteller10web
≫
Produkt
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Default Statusunaffected
Version <=
1.15.27
Version
*
Status
affected
Herstellerjetmonsters
≫
Produkt
Getwid – Gutenberg Blocks
Default Statusunaffected
Version <=
2.0.11
Version
*
Status
affected
Herstellerfirelightwp
≫
Produkt
Firelight Lightbox
Default Statusunaffected
Version <=
2.3.3
Version
*
Status
affected
Herstellerdfactory
≫
Produkt
Responsive Lightbox & Gallery
Default Statusunaffected
Version <=
2.4.8
Version
*
Status
affected
Herstellershapedplugin
≫
Produkt
Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid
Default Statusunaffected
Version <=
2.6.8
Version
*
Status
affected
Herstellercolorlibplugins
≫
Produkt
FancyBox for WordPress
Default Statusunaffected
Version <=
3.3.4
Version
*
Status
affected
Herstellernko
≫
Produkt
Visual Portfolio, Photo Gallery & Post Grid
Default Statusunaffected
Version <=
3.3.9
Version
*
Status
affected
Herstellersmub
≫
Produkt
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery
Default Statusunaffected
Version <=
3.59.4
Version
*
Status
affected
Herstellerwpclever
≫
Produkt
WPC Smart Quick View for WooCommerce
Default Statusunaffected
Version <=
4.1.1
Version
*
Status
affected
HerstellerEasy Social Feed
≫
Produkt
Easy Social Feed Premium
Default Statusunaffected
Version <=
6.6.2
Version
*
Status
affected
Herstellerfoliovision
≫
Produkt
FV Flowplayer Video Player
Default Statusunaffected
Version <=
7.5.47.7212
Version
*
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.437 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 6.4 | 3.1 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.