CVE-2024-8914

Summary

CVE-2024-8914 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Thanh Toán Quét Mã QR Code Tự Động plugin for WordPress, which is used by ViettelPay, MoMo, VNPay, and 40 Vietnamese banks. The vulnerability arises due to an incorrect usage of the wp_kses_allowed_html function, allowing the 'onclick' attribute for certain HTML elements without proper context validation or restriction. This issue enables unauthenticated attackers to inject malicious scripts into web pages, causing them to execute whenever a user accesses an injected page. The vulnerability impacts all versions up to and including 2.0.1. Users are strongly advised to update to the latest, secure version of the plugin as soon as possible to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.