Home

Description

The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

PUBLISHED Reserved 2024-08-21 | Published 2024-09-12 | Updated 2024-09-12 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
affected

Any version
affected

Credits

Bob Matyas finder

WPScan coordinator

References

wpscan.com/...rability/203b8122-f1e5-4e9e-ba83-f5cd59d8a289/ exploit vdb-entry technical-description

cve.org (CVE-2024-8056)

nvd.nist.gov (CVE-2024-8056)