FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-9883

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 4.8EPSS 0.04%Medium
CVE info copied to clipboard

Summary

The Pods WordPress plugin before version 3.2.7.1 contains a vulnerability where it does not properly sanitize and escape some of its settings. This can allow high privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks, even when the unfiltered_html capability is disallowed (for example, in a multisite setup).

Impact

This vulnerability could allow attackers with high-level privileges to inject malicious scripts into web pages. These scripts would then be executed in the browsers of other users visiting the affected pages. The impact is primarily on confidentiality and integrity, with a low severity for both. There is no direct impact on system availability. The attack requires user interaction and can affect resources beyond the security scope of the vulnerable component.

Exploitation

One proof-of-concept exploit is available on wpscan.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 3.2.7.1 of the Pods WordPress plugin. Users should update to this version or later to mitigate the risk.

Mitigation

1. Update the Pods WordPress plugin to version 3.2.7.1 or later. 2. Implement the principle of least privilege, limiting the number of users with high-level privileges. 3. Regularly audit and monitor activities of privileged users. 4. Consider implementing additional security measures such as Web Application Firewalls (WAF) to help detect and prevent XSS attacks. 5. Educate users, especially those with high privileges, about the risks of XSS and safe practices when using the plugin.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9883

Nov 5, 2024 at 6:15 AM
First Article

Feedly found the first article mentioning CVE-2024-9883. See article

Nov 5, 2024 at 6:20 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as LOW

Nov 5, 2024 at 6:20 AM
CVSS

A CVSS base score of 4.8 has been assigned.

Nov 5, 2024 at 4:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 10:26 AM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Nov 6, 2024 at 8:10 PM
Static CVE Timeline Graph

Affected Systems

Podsfoundation/pods
+null more

Exploits

https://wpscan.com/vulnerability/ea4b277e-ef47-4e38-bd82-c5a54a95372f/
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9883 Exploit
inTheWild.io Exploits / 13d
CVE Id : CVE-2024-9883 Published Date: 2024-11-06T17:32:00+00:00 The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). inTheWild added a link to an exploit: https://wpscan.com/vulnerability/ea4b277e-ef47-4e38-bd82-c5a54a95372f/
CVE-2024-9883
Newest CVEs from Tenable / 14d
Medium Severity Description The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Read more at https://www.tenable.com/cve/CVE-2024-9883
CVE-2024-9883 | Pods Plugin up to 3.2.7.0 on WordPress Setting cross site scripting
VulDB Recent Entries / 14d
A vulnerability was found in Pods Plugin up to 3.2.7.0 on WordPress. It has been declared as problematic . This vulnerability affects unknown code of the component Setting Handler . The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-9883 . The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-9883 - Pods Stored Cross-Site Scripting Vulnerability
Latest Vulnerabilities / 14d
CVE ID : CVE-2024-9883 Published : Nov. 5, 2024, 6:15 a.m. 49 minutes ago Description : The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE / 14d
CVE-2024-9883 Pods https://www. cve.org/CVERecord?id=CVE-2024- 9883 https:// wpscan.com/vulnerability/ea4b2 77e-ef47-4e38-bd82-c5a54a95372f/ # CVE_2024_9883 # bot
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

CVSS 4.8(21798)CWE-79(31345)Podsfoundation(5)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial