Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv3

CVE-2024-4439

Published: 03/05/2024 Updated: 03/05/2024
CVSS v3 Base Score: 7.2 | Impact Score: 2.7 | Exploitability Score: 3.9
VMScore: 0

Vulnerability Summary

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated malicious users to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.

Vulnerability Trend

Github Repositories

https://github.com/MielPopsssssss/CVE-2024-4439

CVE-2024-4439 PoC

CVE-2024-4439 CVE-2024-4439 PoC

https://github.com/d0rb/CVE-2024-4439

The provided exploit code leverages a stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-4439) in WordPress Core versions up to 6.5.1.

๐Ÿ‡ฎ๐Ÿ‡ฑ #BringThemHome #NeverAgainIsNow ๐Ÿ‡ฎ๐Ÿ‡ฑ We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas We will not rest until every hostage is released and returns home safely You can help bring them back home storiesbringthemhomenownet/ CVE-2024-4439 Exploit: Unauthenticated Stored Cross-Site Scripting Vulnerability

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/e363c09a-4381-4b3a-951c-9a0ff5669016?source=cvehttps://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3https://core.trac.wordpress.org/changeset/57951/branches/6.4/src/wp-includes/blocks/avatar.phphttps://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wordpress-core/https://nvd.nist.govhttps://github.com/MielPopsssssss/CVE-2024-4439
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895blind SQL injectionCVE-2024-5064CVE-2023-52677CVE-2023-52682CVE-2024-30051CVE-2024-35849remote attackersremote
Vulnerability Notification Service
You donโ€™t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook