Vulnerability Description
Fahad Mahmood RSS Feed Widget Plugin v2.7.9 and lower does not sanitize the value of the "t" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rss Feed Widget Project | Rss Feed Widget | <= 2.7.9 |
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/rss-feed-widget/advanced/ProductThird Party Advisory
- https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ExploitThird Party AdvisoryURL Repurposed
- https://wordpress.org/plugins/rss-feed-widget/advanced/ProductThird Party Advisory
- https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/ExploitThird Party AdvisoryURL Repurposed
FAQ
What is CVE-2020-24314?
CVE-2020-24314 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Fahad Mahmood RSS Feed Widget Plugin v2.7.9 and lower does not sanitize the value of the "t" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability...
How severe is CVE-2020-24314?
CVE-2020-24314 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24314?
Check the references section above for vendor advisories and patch information. Affected products include: Rss Feed Widget Project Rss Feed Widget.