[Japanese]

JVNDB-2024-000121

WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting

Overview

WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).

Ibuki Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


gqevu6bsiz
  • WP Admin UI Customize versions prior to ver 1.5.14

Impact

If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen.
Solution

[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the following version that addresses this vulnerability.
* WP Admin UI Customize ver 1.5.14
Vendor Information

gqevu6bsiz
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-53278
References

  1. JVN : JVN#87182660
Revision History

  • [2024/11/26]
      Web page was published

Date Public2024/11/26
Date First Published2024/11/26
Date Last Updated2024/11/26