CVE-2024-8243

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-8243
The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://wpscan.com/vulnerability/8e1e2d8d-41aa-49bc-95d5-dae75be788d5/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:felixker:wordpress\/plugin_upgrade_time_out_plugin:*:*:*:*:*:wordpress:*:*
History

22 Apr 2025, 17:15

Type Values Removed Values Added
First Time Felixker
Felixker wordpress\/plugin Upgrade Time Out Plugin
CPE cpe:2.3:a:felixker:wordpress\/plugin_upgrade_time_out_plugin:*:*:*:*:*:wordpress:*:*
References () https://wpscan.com/vulnerability/8e1e2d8d-41aa-49bc-95d5-dae75be788d5/ - () https://wpscan.com/vulnerability/8e1e2d8d-41aa-49bc-95d5-dae75be788d5/ - Exploit, Third Party Advisory
CWE CWE-352

09 Apr 2025, 19:15

Type Values Removed Values Added
Summary
  • (es) El complemento WordPress/Plugin Upgrade Time Out Plugin de WordPress hasta la versión 1.0 no tiene verificación CSRF en algunos lugares y le falta saneamiento y escape, lo que podría permitir a los atacantes hacer que el administrador que haya iniciado sesión agregue payloads XSS almacenado a través de un ataque CSRF.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.3

09 Apr 2025, 06:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-09 06:15

Updated : 2025-04-22 17:15

NVD link : CVE-2024-8243

Mitre link : CVE-2024-8243

CVE.ORG link : CVE-2024-8243

JSON object : View

Products Affected

felixker

  • wordpress\/plugin_upgrade_time_out_plugin
CWE
CWE-352

Cross-Site Request Forgery (CSRF)