CVE-2024-6887 β€” Cross-site Scripting in Rafflepress

CWE-79 β€” Cross-site Scripting3 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.2%
top 55.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Seedprod Rafflepress
Timeline
PublishedSep 12

Description

The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

β–ΆNVDseedprod/rafflepress< 1.12.16

πŸ”΄Vulnerability Details

2
CVEList
Giveaways and Contests by RafflePress < 1.12.16 - Editor+ Stored XSS↗2024-09-12
β–Ά
GHSA
GHSA-qmm9-m4wr-gv24: The Giveaways and Contests by RafflePress WordPress plugin before 1β†—2024-09-12
β–Ά
CVE-2024-6887 β€” Cross-site Scripting in Rafflepress | cvebase