Description
A reflected cross-site scripting (XSS) vulnerability was discovered in the MM-Breaking News WordPress plugin (versions up to 0.7.9). The vulnerability arises because the plugin does not properly escape the $_SERVER['REQUEST_URI']
parameter before outputting it back into an attribute. This can be exploited in older web browsers that fail to properly handle unescaped user input, allowing attackers to inject malicious scripts.
Severity
- CVSS Base Score: Pending assessment (Likely Medium)
- Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact
- Confidentiality: Low
- Integrity: Low
- Availability: None
- MEDIUM
Affected Versions
- MM-Breaking News WordPress plugin versions up to 0.7.9.
Solution
- Update the MM-Breaking News WordPress plugin to the latest version, where this vulnerability has been patched.
- Ensure proper escaping of all user-supplied data, especially
$_SERVER['REQUEST_URI']
, before it is output in HTML attributes. - Enforce security best practices such as using Content Security Policy (CSP) to mitigate XSS attacks.
Summary
CVE-2024-8056 is a reflected cross-site scripting (XSS) vulnerability in the MM-Breaking News WordPress plugin through version 0.7.9. This vulnerability allows attackers to inject malicious scripts via the $_SERVER['REQUEST_URI']
parameter, which could be executed in older browsers. It is recommended to update the plugin and ensure proper sanitization of user input to prevent such vulnerabilities.