CVE-2024-10152

CVE-2024-10152 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Simple Certain Time to Show Content WordPress plugin versions before 1.3.1. The flaw arises because the plugin does not sanitize or escape a parameter before outputting it back on the page, enabling attackers to inject and execute malicious scripts in the browser of affected users.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and it changes the scope (S:C) to achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.1. An unauthenticated attacker can target high-privilege users, such as administrators, by tricking them into visiting a maliciously crafted link or page, leading to script execution in the victim's session context for potential session theft or further site compromise.

The WPScan advisory at https://wpscan.com/vulnerability/b4d17da2-4c47-4fd1-a6bd-6692b07cf710/ details the issue, with mitigation achieved by updating the plugin to version 1.3.1 or later to properly sanitize and escape the vulnerable parameter.