CVE-2024-39310

Published: Jul 1, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `post_title` parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. Because the of the default WordPress validation, it is not possible to insert the payload directly but if the Cooked plugin is installed, it is possible to create a recipe post type (cp_recipe) and inject the payload in the title field. Version 2.0.5 contains a patch for the issue.

Vendor	Product	Versions
XjSv	Basil	affected `< 2.0.5`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/XjSv/Basil/security/advisories/GHSA-cr7v-8v2h-49vx

x_refsource_CONFIRM

https://github.com/XjSv/Basil/commit/e2b1dbf1637d1ec2663f9aa1a563b02dc76a8146

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-39310

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References