Custom Block Builder WordPress plugin < 3.8.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to load malicious page. [已公开] id: CVE-2024-12878 info: name: Lazy Blocks <= 3.8.2 - Cross-Site Scripting author: Shivam Kamboj severity: medium description: | Custom Block Builder WordPress plugin < 3.8.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to load malicious page. impact: | Attackers can execute malicious scripts in high privilege users' browsers, potentially leading to session hijacking or account compromise. remediation: | Update to version 3.8.3 or later. reference: - https://wpscan.com/vulnerability/827444d1-87cb-4057-827a-d802eac82cf8/ - https://nvd.nist.gov/vuln/detail/CVE-2024-12878 metadata: verified: true max-request: 2 tags: cve,cve2024,wordpress,wp,wp-plugin,lazy-blocks,xss,reflected,authenticated flow: http(1) && http(2) http: - r

未知