CVE-2024-9292
published 2024-10-08CVE-2024-9292: The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3.2.0 due to…
PriorityP429medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.28%
20.0th percentile
The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qode | bridge_core | <= 3.2.0 | — |
| rack | rack-contrib | >= 0 < 2.5.0 | 2.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5wv5-rqhr-9cj5: The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3
ghsa_unreviewed·2024-10-08
CVE-2024-9292 [MEDIUM] CWE-79 GHSA-5wv5-rqhr-9cj5: The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3
The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
GHSA
rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
ghsa·2024-05-28
CVE-2024-35231 [HIGH] CWE-770 rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
### Summary
The next ruby code is vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not contrained to any limitation. Which would lead to allocating resources on the server side with no limitation (CWE-770).
```ruby
runs = (request.params['profiler_runs'] || @times).to_i
result = @profile.profile do
runs.times { @app.call(env) }
end
```
An exploit as such `curl --fail "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"` may cause resource exhaution by a remotely controlled value.
### PoC
Herein the `config.ru` file:
```ruby
require 'rack'
require 'rack/contrib'
use Rack::Profiler # if ENV['RACK_ENV']
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-08
Published