CVE-2024-1935
Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting
In short
An attacker can inject malicious scripts into a WordPress site using the RafflePress plugin (version 1.12.5 or older) without needing to log in. When visitors view the affected page, the hidden script runs in their browser, potentially stealing data or compromising their accounts.
Technical detail
The 'parent_url' parameter in RafflePress <= 1.12.5 lacks proper input sanitization and output escaping, allowing unauthenticated attackers to perform stored XSS attacks. The injected payload persists server-side and executes in victim browsers on page load, enabling credential theft, session hijacking, or malware distribution.
Summary generated and translated by AI from the official description.
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products
smub · Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social FollowersWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.5/resources/views/rafflepress-giveaway.phphttps://plugins.trac.wordpress.org/changeset?old_path=/rafflepress/tags/1.12.5&old=3043286&new_path=/rafflepress/tags/1.12.7&new=3043286&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/29b471ac-3a08-42da-9907-670c3b3bae92?source=cve