CVE-2024-7879

WP ULike < 4.7.5 - Admin+ Stored XSS via Widgets

Severity Score

4.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The WP ULike WordPress plugin before 4.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

*Credits: Dmitrii Ignatyev, WPScan

CVSS Scores

CISAv3.1 4.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-16 CVE Reserved
2024-11-06 CVE Published
2024-11-06 CVE Updated
2024-11-06 First Exploit
2024-11-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://wpscan.com/vulnerability/5ad1c40a-5e13-40b6-8652-c23a1f39abc2	2024-11-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Unknown Search vendor "Unknown"		WP ULike Search vendor "Unknown" for product "WP ULike"				< 4.7.5 Search vendor "Unknown" for product "WP ULike" and version " < 4.7.5"		en		Affected