CVE-2024-5033

CWE-352Cross-Site Request Forgery (CSRF)CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.9MEDIUM
EPSS
0.1%
top 71.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown SullyToolstack Sully
Timeline
PublishedJul 13

Description

The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.7 | Impact: 3.7

Affected Packages2 packages

CVEListV5unknown/sully< 4.3.1
NVDtoolstack/sully< 4.3.1

🔴Vulnerability Details

2
CVEList
SULly < 4.3.1 - Admin+ Stored XSS via CSRF2024-07-13
GHSA
GHSA-wh4c-fpvw-r5xc: The SULly WordPress plugin before 42024-07-13