CVE-2024-10878

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Nov 26, 2024
CWE ID 79

Summary

CVE-2024-10878 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the Sugar Calendar plugin for WordPress. Versions up to and including 3.3.0 are impacted by this issue. Attackers can exploit this vulnerability by injecting malicious scripts into URLs using add_query_arg and remove_query_arg functions without proper escaping. Unauthenticated attackers have the opportunity to insert these scripts when they successfully manipulate users into performing specific actions, such as clicking on a malicious link. This vulnerability poses a significant risk as it allows attackers to steal sensitive data, launch phishing attacks, or even take control of user sessions. It is crucial that WordPress users update their Sugar Calendar plugin to a patched version as soon as possible to mitigate this threat.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share