CVE-2024-1787 Information

Description

The Contests by Rewards Fuel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘update_rewards_fuel_api_key’ parameter in all versions up to and including 2.0.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/9eeec949-e440-4df3-8c26-db92498cada3?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3051990%40contests-from-rewards-fuel&new=3051990%40contests-from-rewards-fuel&sfp_email=&sfph_mail=