CVE-2024-2738

EUVD-2024-27683
The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
permalink_manager_lite_projectpermalink_manager_lite
𝑥
< 2.4.3.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
permalink_manager_lite_projectpermalink_manager_lite
𝑥
≤ 2.4.3.1
ADP
permalink_manager_projectpermalink_manager
𝑥
≤ 2.4.3.1
ADP
Common Weakness Enumeration
References
https://gist.github.com/Xib3rR4dAr/561ac3c17b92cb55d3032504a076fa4b
https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3052848%40permalink-manager%2Ftrunk&old=3034660%40permalink-manager%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7020d5a1-a4a6-489c-8615-bc7898553bcf?source=cve
https://gist.github.com/Xib3rR4dAr/561ac3c17b92cb55d3032504a076fa4b
https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3052848%40permalink-manager%2Ftrunk&old=3034660%40permalink-manager%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/7020d5a1-a4a6-489c-8615-bc7898553bcf?source=cve