CVE-2008-1304
published 2008-03-12CVE-2008-1304: Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail…
PriorityP421medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
5.00%
91.2th percentile
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | — | — |
| wordpress | wordpress | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wordpress: multiple XSS issues in invite action
vendor_redhat·2008-03-07·CVSS 4.3
CVE-2008-1304 [MEDIUM] CWE-79 wordpress: multiple XSS issues in invite action
wordpress: multiple XSS issues in invite action
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.
Debian
CVE-2008-1304: wordpress - Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow rem...
vendor_debian·2008·CVSS 4.3
CVE-2008-1304 [MEDIUM] CVE-2008-1304: wordpress - Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow rem...
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-qjrj-cvjq-fxjr: Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2
ghsa_unreviewed·2022-05-01
CVE-2008-1304 [MEDIUM] CWE-79 GHSA-qjrj-cvjq-fxjr: Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.
No detection rules found.
Exploit-DB
WordPress Core 2.3.2 - '/wp-admin/invites.php?to' Cross-Site Scripting
exploitdb·2008-03-07
CVE-2008-1304 WordPress Core 2.3.2 - '/wp-admin/invites.php?to' Cross-Site Scripting
WordPress Core 2.3.2 - '/wp-admin/invites.php?to' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/28139/info
WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WordPress 2.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/invites.php?result=sent&to=%22%3E%3Cscript%3Ealert
Exploit-DB
WordPress Core 2.3.2 - '/wp-admin/users.php?inviteemail' Cross-Site Scripting
exploitdb·2008-03-07
CVE-2008-1304 WordPress Core 2.3.2 - '/wp-admin/users.php?inviteemail' Cross-Site Scripting
WordPress Core 2.3.2 - '/wp-admin/users.php?inviteemail' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/28139/info
WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WordPress 2.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/users.php?update=invite&inviteemail=>
http://securityreason.com/securityalert/3732http://securitytracker.com/id?1019564http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vulnerabilities.html?id=114http://www.securityfocus.com/archive/1/489241/100/0/threadedhttp://www.securityfocus.com/bid/28139https://exchange.xforce.ibmcloud.com/vulnerabilities/41055https://exchange.xforce.ibmcloud.com/vulnerabilities/41056http://securityreason.com/securityalert/3732http://securitytracker.com/id?1019564http://www.hackerscenter.com/index.php?/Latest-posts/114-WordPress-Multiple-Cross-Site-Scripting-Vulnerabilities.html?id=114http://www.securityfocus.com/archive/1/489241/100/0/threadedhttp://www.securityfocus.com/bid/28139https://exchange.xforce.ibmcloud.com/vulnerabilities/41055https://exchange.xforce.ibmcloud.com/vulnerabilities/41056
2008-03-12
Published