CVE-2024-9886

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 30, 2024 / Updated: 21d ago

010
CVSS 6.4EPSS 0.05%Medium
CVE info copied to clipboard

The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9886. See article

Oct 30, 2024 at 2:29 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 30, 2024 at 2:29 AM
CVE Assignment

NVD published the first details for CVE-2024-9886

Oct 30, 2024 at 3:15 AM
CVSS

A CVSS base score of 6.4 has been assigned.

Oct 30, 2024 at 3:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 22.2%)

Oct 30, 2024 at 10:18 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9886
Medium Severity Description The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Read more at https://www.tenable.com/cve/CVE-2024-9886
Medium - CVE-2024-9886 - The WP Baidu Map plugin for WordPress is...
The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to...
CVE-2024-9886
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
WP Baidu Map <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Suifengtec - MEDIUM - CVE-2024-9886 The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-9886
The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected...
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI