CVE-2024-12400

HighPublic PoC

Published: 30 January 2025

Published

30 January 2025

Modified

09 June 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 26.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.

Security Summary

CVE-2024-12400 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Tourmaster WordPress plugin in versions before 5.3.5. The flaw occurs because the plugin does not properly escape generated URLs before outputting them in HTML attributes, allowing attackers to inject malicious scripts that execute in the context of a victim's browser.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), but it requires user interaction (UI:R), such as clicking a malicious link. Exploitation results in reflected XSS with a changed scope (S:C), enabling limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 base score of 7.1. This could allow theft of session cookies or other client-side data.

WPScan advisories, referenced at https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/, detail the issue and recommend updating the Tourmaster plugin to version 5.3.5 or later as the primary mitigation.

Details

CWE(s): CWE-79

Affected Products

goodlayers

tour master

≤ 5.3.5

References

https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/
Exploit, Third Party Advisory · contact@wpscan.com
https://wpscan.com/vulnerability/3542315c-93c3-41dd-a99e-02a38cfd58fb/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0