cbcvebase.
CVE-2024-30194
published 2024-03-27

CVE-2024-30194: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sunshinephotocart Sunshine Photo Cart…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.73%
49.5th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.This issue affects Sunshine Photo Cart: from n/a through <= 3.1.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
sunshinephotocartsunshine_photo_cart< 3.1.23.1.2
sunshinephotocartsunshine_photo_cart<= 3.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/edit.php?post_type=sunshine-gallery&page=sunshine-reports&report=orders%22%20onmouseover=alert(document.domain)%3Bthis.remove()%3B%20style=position:fixed%3Bleft:0%3Btop:0%3Bwidth:100vw%3Bheight:100vh%3B
path/wp-admin/edit.php?post_type=sunshine-gallery&page=sunshine-reports
  • Detect exploitation attempts by monitoring GET requests to /wp-admin/edit.php with parameters post_type=sunshine-gallery, page=sunshine-reports, and a 'report' parameter containing unencoded double-quote or XSS payloads (e.g., onmouseover, onerror event handlers).
  • Confirm successful XSS reflection by checking that the HTTP 200 response body contains both the unsanitized payload string 'onmouseover=alert(document.domain);this.remove(); style=position:fixed;left:0;top:0;width:100vw;height:100vh;' and the string 'Sunshine Photo Cart'.
  • The exploit requires an authenticated session; look for a preceding POST to /wp-login.php followed immediately by the malicious GET to the sunshine-reports page, with a wordpress_logged_in cookie present in the subsequent request.
  • The login step is confirmed by a 302 redirect response containing the 'wordpress_logged_in' string in the response headers.
  • ·The vulnerability affects Sunshine Photo Cart plugin versions up to and including 3.1.1; versions beyond this are not affected.
  • ·Exploitation requires the attacker to be authenticated (logged-in WordPress user); the nuclei template uses a two-step flow gated on a successful login before issuing the XSS probe.
  • ·The XSS is reflected via the 'report' query parameter on the sunshine-reports admin page; the injection point is specifically the value of that parameter being echoed unsanitized into the page.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.