CVE-2024-9895

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 5.4EPSS 0.07%Medium
CVE info copied to clipboard

Summary

The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on user supplied attributes in the plugin's moo_receipt_link shortcode. This vulnerability affects all versions up to and including 1.5.7.

Impact

This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The potential impacts include: 1. Data theft: Attackers could steal sensitive information from users' browsers, including session cookies or other authentication tokens. 2. Account takeover: The injected scripts could perform actions on behalf of the victim, potentially leading to account compromise. 3. Malware distribution: Attackers could redirect users to malicious websites or trigger downloads of malicious files. 4. Defacement: The appearance and content of the affected pages could be altered, potentially damaging the site's reputation. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium severity), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the attack requires network access, low attack complexity, low privileges, and user interaction. The scope is changed, with low impacts on confidentiality and integrity, but no impact on availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 1.5.8 of the Smart Online Order for Clover plugin for WordPress. The patch was added on 2024-10-17, as indicated by the patch details from the WordPress plugin repository.

Mitigation

To mitigate this vulnerability: 1. Update the Smart Online Order for Clover plugin to version 1.5.8 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the plugin until it can be updated. 3. Implement strong access controls to limit the number of users with contributor-level access or higher. 4. Regularly audit user accounts and their permission levels. 5. Implement Content Security Policy (CSP) headers to help mitigate the impact of any successful XSS attacks. 6. Use Web Application Firewalls (WAF) to help detect and block XSS attempts. 7. Educate users about the risks of clicking on suspicious links or interacting with unexpected content on the website. 8. Regularly monitor and log activities related to the plugin and WordPress admin area for any suspicious behavior.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9895. See article

Oct 15, 2024 at 8:40 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 15, 2024 at 8:40 AM
CVE Assignment

NVD published the first details for CVE-2024-9895

Oct 15, 2024 at 9:15 AM
CVSS

A CVSS base score of 6.4 has been assigned.

Oct 15, 2024 at 9:20 AM / nvd
EPSS

EPSS Score was set to: 0.07% (Percentile: 32.1%)

Oct 16, 2024 at 11:00 AM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 17, 2024 at 8:55 PM / nvd
Static CVE Timeline Graph

Affected Systems

Zaytech/smart_online_order_for_clover
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

Update Sun Nov 3 14:28:56 UTC 2024
Update Sun Nov 3 14:28:56 UTC 2024
CVE-2024-9895
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Medium - CVE-2024-9895 - The Smart Online Order for Clover plugin for...
The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due...
Clover Smart Online Order Vulnerable to Stored Cross-Site Scripting
Elbanyaoui - MEDIUM - CVE-2024-9895 The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-9895
The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI