WP Finance WordPress plugin <= 1.3.6 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute scripts in high privilege users' browsers, exploit requires victim to click a malicious link. [已公开] id: CVE-2024-13097 info: name: WP Finance Plugin <= 1.3.6 - Cross-Site Scripting author: Sourabh-Sahu severity: medium description: | WP Finance WordPress plugin <= 1.3.6 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute scripts in high privilege users' browsers, exploit requires victim to click a malicious link. impact: | Attackers can execute malicious scripts in high privilege users' browsers, potentially leading to session hijacking or account compromise. remediation: | Update to the latest version of WP Finance plugin that addresses this issue or apply security patches that sanitize and escape output properly. reference: - https://wpscan.com/vulnerability/d83d7274-55ae-4f35-b65e-6d6e19e36fac/ - https://nvd.nist.gov/vuln/detail/CVE-2024-13097 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A

未知