CVE-2024-0658

Summary

CVE-2024-0658 is a vulnerability affecting the Insert PHP Code Snippet plugin for WordPress in versions up to and including 1.3.4. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. The vulnerability occurs due to insufficient input sanitization and output escaping, specifically through the user's name when accessing the insert-php-code-snippet-manage page. It is important to note that this vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. The exploitability score for this vulnerability is 1.3, with a medium base severity score of 4.4. Remediating this issue requires updating the Insert PHP Code Snippet plugin to a version that includes the necessary security fixes. Organizations should take action promptly as this vulnerability poses a potential danger by allowing unauthorized execution of scripts on affected websites, compromising their integrity and potentially impacting confidentiality.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.