Exploitation Summary
EIP tracks 1 public exploit for CVE-2024-6651. PoCs published by yup-Ivan. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2024-6651, a reflected XSS vulnerability in the WP File Upload WordPress plugin versions prior to 4.24.8. The exploit leverages an unsanitized 'dir' parameter in the File Browser functionality to execute arbitrary JavaScript in the context of an authenticated user.
Description
The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Exploits (1)
This repository contains a functional proof-of-concept for CVE-2024-6651, a reflected XSS vulnerability in the WP File Upload WordPress plugin versions prior to 4.24.8. The exploit leverages an unsanitized 'dir' parameter in the File Browser functionality to execute arbitrary JavaScript in the context of an authenticated user.
Nuclei Templates (1)
body='wp-content/plugins/wp-file-upload/'
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N