CVE-2024-3469

MEDIUM EXPLOITED NUCLEI

Generatepress < 2.4.1 - XSS

Title source: rule

Description

The GP Premium plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the message parameter in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Nuclei Templates (1)

GP Premium <= 2.4.0 - Cross-Site Scripting

MEDIUMVERIFIEDby Shivam Kamboj

FOFA: body="/wp-content/plugins/gp-premium/"

References (2)

[Release Notes] https://generatepress.com/category/changelog/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/1a697391-f30d-403f-9046-8fa219a49302?source=cve

Scores

CVSS v3 6.1

EPSS 0.1196

EPSS Percentile 93.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2024-06-05

CWE

CWE-79

Status published

Products (2)

generatepress/generatepress < 2.4.1

GeneratePress/GP Premium < 2.4.0

Published Jun 05, 2024

Tracked Since Feb 18, 2026