CVE-2024-9435

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 4, 2024 / Updated: 46d ago

010
CVSS 6.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Impact

This vulnerability allows attackers to inject malicious scripts into web pages viewed by users of the affected WordPress sites. When executed, these scripts can steal sensitive information, manipulate page content, or perform actions on behalf of the victim. The attack requires user interaction, such as clicking a specially crafted link, which limits its impact. The vulnerability affects the confidentiality and integrity of the system, but not its availability. Given the CVSS base score of 6.1, this vulnerability is considered of medium severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in versions after 4.9.66 of the ShiftController Employee Shift Scheduling plugin for WordPress. The patch details indicate that a change was made on 2024-10-08, suggesting that this is when the fix was implemented.

Mitigation

1. Update the ShiftController Employee Shift Scheduling plugin to a version newer than 4.9.66 as soon as possible. 2. If immediate updating is not possible, consider temporarily disabling the plugin until it can be updated. 3. Implement strong Content Security Policies (CSP) to mitigate the impact of XSS attacks. 4. Educate users about the risks of clicking on unknown or suspicious links, especially those related to the ShiftController plugin functionality. 5. Regularly monitor for and apply security updates to all WordPress plugins, themes, and core installations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9435. See article

Oct 4, 2024 at 3:34 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 4, 2024 at 3:34 AM
CVE Assignment

NVD published the first details for CVE-2024-9435

Oct 4, 2024 at 7:15 AM
CVSS

A CVSS base score of 6.1 has been assigned.

Oct 4, 2024 at 7:15 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.3%)

Oct 5, 2024 at 10:50 AM
Static CVE Timeline Graph

Affected Systems

Plainware/shiftcontroller
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

cveNotify : 🚨 CVE-2024-9435The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.🎖@cveNotify
cveNotify : 🚨 CVE-2024-9435The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.🎖@cveNotify
CVE Alert: CVE-2024-9435
Everyone that supports the site helps enable new functionality. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-9435
Medium Severity Description The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Read more at https://www.tenable.com/cve/CVE-2024-9435
Medium - CVE-2024-9435 - The ShiftController Employee Shift Scheduling...
The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient...
Unauthenticated Cross-Site Scripting Vulnerability in ShiftController Employee Shift Scheduling Plugin for WordPress
Plainware - MEDIUM - CVE-2024-9435 The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI