CVE-2020-24314 Information
Feb 14, 2021
cve
Description
Fahad Mahmood RSS Feed Widget Plugin v2.7.9 and lower does not sanitize the value of the \t\ GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
https://wordpress.org/plugins/rss-feed-widget/advanced/ https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.1
Share on: