CVE-2024-3868
PUBLISHED5.0
Wordfence
The Folders Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's First Name and Last Name in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Problem type
- CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
galdub
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
<= 3.0.2 - AFFECTED
References
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/daa48b64-6f89-40be-a31f-31d1481dfc91?source=cve
premio.io
https://premio.io/downloads/folders/
JSON source
Click to expand
{ "dataType": "CVE_RECORD", "containers": { "cna": { "credits": [ { "lang": "en", "type": "finder", "value": "mike harris" } ], "metrics": [ { "cvssV3_1": { "version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" } } ], "affected": [ { "vendor": "galdub", "product": "Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager", "versions": [ { "status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.0.2" } ], "defaultStatus": "unaffected" } ], "timeline": [ { "lang": "en", "time": "2024-04-16T00:00:00.000+00:00", "value": "Vendor Notified" }, { "lang": "en", "time": "2024-05-03T00:00:00.000+00:00", "value": "Disclosed" } ], "references": [ { "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/daa48b64-6f89-40be-a31f-31d1481dfc91?source=cve" }, { "url": "https://premio.io/downloads/folders/" } ], "descriptions": [ { "lang": "en", "value": "The Folders Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's First Name and Last Name in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" } ] } ], "providerMetadata": { "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-04T02:31:34.852Z" } } }, "cveMetadata": { "cveId": "CVE-2024-3868", "state": "PUBLISHED", "dateUpdated": "2024-05-04T02:31:34.852Z", "dateReserved": "2024-04-15T22:53:47.069Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-04T02:31:34.852Z", "assignerShortName": "Wordfence" }, "dataVersion": "5.0" }