Description

The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `post_title` parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. Because the of the default WordPress validation, it is not possible to insert the payload directly but if the Cooked plugin is installed, it is possible to create a recipe post type (cp_recipe) and inject the payload in the title field. Version 2.0.5 contains a patch for the issue.

INFO

Published Date :

2024-07-01T21:19:35.867Z

Last Modified :

2024-08-02T04:19:20.713Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-39310 vulnerability.

Vendors Products
Xjsv
  • Basil
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-39310.

URL Resource
https://github.com/XjSv/Basil/commit/e2b1dbf1637d1ec2663f9aa1a563b02dc76a8146 cve-icon cve-icon
https://github.com/XjSv/Basil/security/advisories/GHSA-cr7v-8v2h-49vx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact