[Japanese]

JVNDB-2024-014825

WordPress Plugin "My WP Customize Admin/Frontend" vulnerable to cross-site scripting

Overview

WordPress Plugin "My WP Customize Admin/Frontend" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).

The developer reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and the developer coordinated to publish this advisory.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


gqevu6bsiz
  • My WP Customize Admin/Frontend versions prior to ver 1.24.1

Impact

If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the page.
Solution

[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the following version that addresses this vulnerability.

* My WP Customize Admin/Frontend ver 1.24.1
Vendor Information

gqevu6bsiz
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [Other]
CVE (What is CVE?)

  1. CVE-2024-55864
References

  1. JVN : JVNVU#90748215
Revision History

  • [2024/12/16]
      Web page was published

Date Public2024/12/13
Date First Published2024/12/16
Date Last Updated2024/12/16