CVE-2024-11202

Summary

Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affected Software

VendorProductVersion RangeStatus
creativemindssolutionsCM Header and Footer – Add custom scripts and styles to your header and footer with ease0 <= 1.2.1affected
creativemindssolutionsCM Business Directory – Optimise and showcase local business0 <= 1.4.1affected
creativemindssolutionsCM Search And Replace – Optimize content edits with a powerful search and replace tool0 <= 1.4.2affected
creativemindssolutionsCM E-Mail Blacklist – Simple email filtering for safer registration0 <= 1.5.3affected
creativemindssolutionsCM Pop-Up – Create engaging popups to capture attention and boost interaction0 <= 1.7.5affected
creativemindssolutionsCM Video Lessons Manager – Simplify video lessons management for better education0 <= 1.8.2affected
creativemindssolutionsCM Tooltip Glossary0 <= 4.3.11affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References