Vulnerabilites related to gqevu6bsiz - WP Admin UI Customize
cve-2024-53278
Vulnerability from cvelistv5
Published
2024-11-26 04:33
Modified
2024-11-26 14:09
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gqevu6bsiz | WP Admin UI Customize |
Version: prior to ver 1.5.14 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T14:04:17.341392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T14:09:26.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP Admin UI Customize",
"vendor": "gqevu6bsiz",
"versions": [
{
"status": "affected",
"version": "prior to ver 1.5.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T04:33:51.381Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://wordpress.org/plugins/wp-admin-ui-customize/#developers"
},
{
"url": "https://gqevu6bsiz.chicappa.jp/wp-admin-ui-customize-%E3%82%A2%E3%83%83%E3%83%97%E3%83%87%E3%83%BC%E3%83%881-5-14%E3%82%92%E3%81%97%E3%81%BE%E3%81%97%E3%81%9F/"
},
{
"url": "https://jvn.jp/en/jp/JVN87182660/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-53278",
"datePublished": "2024-11-26T04:33:51.381Z",
"dateReserved": "2024-11-20T00:41:03.536Z",
"dateUpdated": "2024-11-26T14:09:26.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2024-000121
Vulnerability from jvndb
Published
2024-11-26 13:57
Modified
2024-11-26 13:57
Severity ?
Summary
WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting
Details
WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).
Ibuki Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN87182660/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-53278 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| gqevu6bsiz | WP Admin UI Customize |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000121.html",
"dc:date": "2024-11-26T13:57+09:00",
"dcterms:issued": "2024-11-26T13:57+09:00",
"dcterms:modified": "2024-11-26T13:57+09:00",
"description": "WordPress Plugin \"WP Admin UI Customize\" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).\r\n\r\nIbuki Sato reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000121.html",
"sec:cpe": {
"#text": "cpe:/a:misc_gqevu6bsiz:wp_admin_ui_customize",
"@product": "WP Admin UI Customize",
"@vendor": "gqevu6bsiz",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000121",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN87182660/index.html",
"@id": "JVN#87182660",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-53278",
"@id": "CVE-2024-53278",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress Plugin \"WP Admin UI Customize\" vulnerable to cross-site scripting"
}