CVE-2024-12638
Published: 30 January 2025
Description
The Bulk Me Now! WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Security Summary
CVE-2024-12638 is a reflected cross-site scripting (XSS) vulnerability in the Bulk Me Now! WordPress plugin through version 2.0. The plugin does not sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject malicious scripts. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79.
Attackers require no privileges and can exploit this remotely over the network with low complexity by crafting a malicious payload in the vulnerable parameter. Exploitation relies on user interaction, such as an administrator clicking a malicious link, which reflects the payload and executes JavaScript in the high-privilege user's browser context. This can lead to low-impact confidentiality, integrity, and availability effects, including potential session theft or unauthorized actions within the victim's scope due to the changed security scope.
The WPScan advisory at https://wpscan.com/vulnerability/a6f5b0fe-00a0-4e30-aec6-87882c035beb/ provides further details on the vulnerability, including recommended mitigations.
Details
- CWE(s)