一、 漏洞 CVE-2024-9618 基础信息
漏洞标题
Master Addons <= 2.0.7.2 - 经认证(贡献者+)多个部件中的存储型跨站脚本漏洞
来源:AIGC 神龙大模型
漏洞描述信息
WordPress插件Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations在所有版本中(包括2.0.7.2版本)存在存储型跨站脚本漏洞。该漏洞是由于在处理用户提供的属性时,输入过滤不充分且输出未进行适当的转义,导致通过多个小部件输入的恶意脚本可以被存储。攻击者(具有贡献者级别或以上权限的认证用户)可以利用此漏洞将任意Web脚本注入页面中,当用户访问被注入的页面时,脚本将被执行。
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
来源:AIGC 神龙大模型
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源:AIGC 神龙大模型
漏洞标题
Master Addons <= 2.0.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
来源:美国国家漏洞数据库 NVD
漏洞描述信息
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2024-9618 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2024-9618 的情报信息

  • 标题: Master Addons <= 2.0.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets -- 🔗来源链接

    标签:

    Master Addons <= 2.0.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

  • 标题: Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations – WordPress plugin | WordPress.org -- 🔗来源链接

    标签:

    Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations – WordPress plugin | WordPress.org

  • 标题: master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository -- 🔗来源链接

    标签:

    master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository

  • 标题: master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository -- 🔗来源链接

    标签:

    master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository

  • 标题: master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository -- 🔗来源链接

    标签:

    master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository

  • 标题: master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository -- 🔗来源链接

    标签:

    master-addons-scripts.js in master-addons/trunk/assets/js – WordPress Plugin Repository

  • 标题: Changelogs - Master Addons -- 🔗来源链接

    标签:

    Changelogs - Master Addons

  • 标题: Changeset 3243199 – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Changeset 3243199 – WordPress Plugin Repository

  • 标题: Changeset 3249130 – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Changeset 3249130 – WordPress Plugin Repository
  • https://nvd.nist.gov/vuln/detail/CVE-2024-9618