CVE-2024-11202

Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Los complementos Multiple para WordPress son vulnerables a Cross-Site Scripting reflejado a través del código corto cminds_free_guide en varias versiones debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en páginas que se ejecutan si logran engañar a un usuario para que realice una acción, como hacer clic en un enlace.

*Credits: Peter Thaleikis

CVSS Scores

Wordfencev3.1 6.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-11-14 CVE Reserved
2024-11-25 CVE Published
2024-11-26 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (16)

URL	Tag	Source
https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/package/cminds-free.php#L1465
https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/package/cminds-free.php#L1465
https://plugins.trac.wordpress.org/browser/cm-header-footer-script-loader/trunk/package/cminds-free.php#L1465
https://plugins.trac.wordpress.org/browser/cm-on-demand-search-and-replace/trunk/package/cminds-free.php#L1469
https://plugins.trac.wordpress.org/browser/cm-pop-up-banners/trunk/package/cminds-free.php#L1471
https://plugins.trac.wordpress.org/browser/cm-video-lesson-manager/trunk/package/cminds-free.php#L1465
https://plugins.trac.wordpress.org/browser/enhanced-tooltipglossary/trunk/package/cminds-free.php#L1465
https://plugins.trac.wordpress.org/changeset/3191536
https://plugins.trac.wordpress.org/changeset/3192354
https://plugins.trac.wordpress.org/changeset/3192381
https://plugins.trac.wordpress.org/changeset/3192416
https://plugins.trac.wordpress.org/changeset/3192808
https://plugins.trac.wordpress.org/changeset/3193808
https://plugins.trac.wordpress.org/changeset/3194393
https://wordpress.org/plugins/cm-pop-up-banners/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Creativemindssolutions Search vendor "Creativemindssolutions"		CM WordPress Search And Replace Plugin Search vendor "Creativemindssolutions" for product "CM WordPress Search And Replace Plugin"				<= 1.4.2 Search vendor "Creativemindssolutions" for product "CM WordPress Search And Replace Plugin" and version " <= 1.4.2"		en		Affected
Creativemindssolutions Search vendor "Creativemindssolutions"		Video Lessons Manager – WordPress LMS Plugin Search vendor "Creativemindssolutions" for product "Video Lessons Manager – WordPress LMS Plugin"				<= 1.8.2 Search vendor "Creativemindssolutions" for product "Video Lessons Manager – WordPress LMS Plugin" and version " <= 1.8.2"		en		Affected
Creativemindssolutions Search vendor "Creativemindssolutions"		CM Tooltip Glossary Search vendor "Creativemindssolutions" for product "CM Tooltip Glossary"				<= 4.3.11 Search vendor "Creativemindssolutions" for product "CM Tooltip Glossary" and version " <= 4.3.11"		en		Affected
Creativemindssolutions Search vendor "Creativemindssolutions"		CM Pop-Up Banners For WordPress Search vendor "Creativemindssolutions" for product "CM Pop-Up Banners For WordPress"				<= 1.7.5 Search vendor "Creativemindssolutions" for product "CM Pop-Up Banners For WordPress" and version " <= 1.7.5"		en		Affected
Creativemindssolutions Search vendor "Creativemindssolutions"		CM Header & Footer Script Loader – Insert Script Plugin Search vendor "Creativemindssolutions" for product "CM Header & Footer Script Loader – Insert Script Plugin"				<= 1.2.1 Search vendor "Creativemindssolutions" for product "CM Header & Footer Script Loader – Insert Script Plugin" and version " <= 1.2.1"		en		Affected
Creativemindssolutions Search vendor "Creativemindssolutions"		Name CM E-Mail Registration Blacklist Search vendor "Creativemindssolutions" for product "Name CM E-Mail Registration Blacklist"				<= 1.5.3 Search vendor "Creativemindssolutions" for product "Name CM E-Mail Registration Blacklist" and version " <= 1.5.3"		en		Affected
Creativemindssolutions Search vendor "Creativemindssolutions"		CM Business Directory Plugin – Business Listing Directory Search vendor "Creativemindssolutions" for product "CM Business Directory Plugin – Business Listing Directory"				<= 1.4.1 Search vendor "Creativemindssolutions" for product "CM Business Directory Plugin – Business Listing Directory" and version " <= 1.4.1"		en		Affected