CVE-2024-13099: Widget4Call WordPress - Cross-Site Scripting
漏洞描述
Widget4Call WordPress plugin <= 1.0.7 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. [已公开] id: CVE-2024-13099 info: name: Widget4Call WordPress - Cross-Site Scripting author: Sourabh-Sahu severity: medium description: | Widget4Call WordPress plugin <= 1.0.7 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. impact: | Attackers can execute arbitrary scripts in the context of high privilege users, potentially leading to account compromise or data theft. remediation: | Update to the latest version of Widget4Call plugin that addresses this issue. reference: - https://wpscan.com/vulnerability/a0cabf5c-7b01-4163-834b-a134db3a90b4/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N cvss-score: 5.4 cve-id: CVE-2024-13099 cwe-id: CWE-79 epss-score: 0.00954 epss-percentile: 0.76081 cpe: cpe:2.3:a:apidaze:widget4c
影响范围
未知
修复建议
暂无