CVE-2024-12042

Published Dec 13, 2024

Last updated 2 months ago

CVSS medium 5.4

Overview

Description
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.
Source
security@wordfence.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Primary
Base score
5.4
Impact score
2.7
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-434

Social media

Hype score
Not currently trending

  1. CVE-2024-12042 Stored XSS Vulnerability in MStore API Plugin for WordPress The MStore API plugin for WordPress, used for creating native Android and iOS apps on the cloud, has a Stored Cross-Site Scripting vulner... https://t.co/2txe7yjg9d

    @VulmonFeeds

    13 Dec 2024

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References