CVE-2024-9897

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 19, 2024 / Updated: 31d ago

010
CVSS 5.4EPSS 0.07%Medium
CVE info copied to clipboard

Summary

The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode in all versions up to, and including, 1.8.6. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. It allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, which will execute whenever a user accesses an injected page.

Impact

This vulnerability could allow attackers to inject malicious scripts into WordPress pages. When executed, these scripts could potentially steal sensitive information from users, including login credentials or session tokens. The attacker could also manipulate the content of the affected pages, potentially damaging the site's reputation or misleading users. Since the vulnerability requires user interaction and privileged access, the impact is somewhat limited but still significant, especially for sites with multiple contributors.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in version 1.8.7 of the StreamWeasels Twitch Integration plugin for WordPress.

Mitigation

1. Update the StreamWeasels Twitch Integration plugin to version 1.8.7 or later as soon as possible. 2. If immediate updating is not possible, consider temporarily disabling the plugin or restricting access to contributor-level accounts. 3. Implement strong content security policies (CSP) to mitigate the impact of potential XSS attacks. 4. Regularly audit and review user permissions, especially for accounts with contributor-level access or higher. 5. Educate content creators about the risks of embedding untrusted content and the importance of proper input validation. 6. Monitor for suspicious activity or unauthorized changes to pages, particularly those using the sw-twitch-embed shortcode.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9897. See article

Oct 19, 2024 at 9:44 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 19, 2024 at 9:46 AM
CVE Assignment

NVD published the first details for CVE-2024-9897

Oct 19, 2024 at 10:15 AM
CVSS

A CVSS base score of 6.4 has been assigned.

Oct 19, 2024 at 10:20 AM / nvd
EPSS

EPSS Score was set to: 0.07% (Percentile: 31%)

Oct 20, 2024 at 12:21 PM
CVSS

A CVSS base score of 5.4 has been assigned.

Nov 1, 2024 at 3:30 PM / nvd
Static CVE Timeline Graph

Affected Systems

Streamweasels/twitch_integration
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE Alert: CVE-2024-9897 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9897/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9897
CVE Alert: CVE-2024-9897
The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s sw-twitch-embed shortcode in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. Everyone that supports the site helps enable new functionality.
CVE-2024-9897
Medium Severity Description The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Read more at https://www.tenable.com/cve/CVE-2024-9897
CVE-2024-9897 - Exploits & Severity - Feedly
The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode ...
Medium - CVE-2024-9897 - The StreamWeasels Twitch Integration plugin for...
The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode in all versions up to, and including, 1.8.6...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI