Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-6651

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

12.0%

top 6.24%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Wordpress File Upload Iptanus Wordpress File Upload

Timeline

PublishedAug 6

Description

The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/wordpress_file_upload< 4.24.8

▶NVDiptanus/wordpress_file_upload< 4.24.8

🔴Vulnerability Details

CVEList

WordPress File Upload < 4.24.8 - Reflected XSS↗2024-08-06

▶

GHSA

GHSA-54v7-45g9-xcqh: The WordPress File Upload WordPress plugin before 4↗2024-08-06

▶

💥Exploits & PoCs

Nuclei

WordPress File Upload Plugin < 4.24.8 - Cross-Site Scripting

▶