CVE-2024-4289 — Cross-site Scripting in Sailthru Triggermail

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jontasc Sailthru Triggermail

Timeline

PublishedMay 21

Description

The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDjontasc/sailthru_triggermail1.1

🔴Vulnerability Details

CVEList

Sailthru Triggermail <= 1.1 - Reflected XSS↗2024-05-21

▶

GHSA

GHSA-mqv8-r98f-v6vp: The Sailthru Triggermail WordPress plugin through 1↗2024-05-21

▶