Published:2024/11/26 Last Updated:2024/11/26
JVN#87182660
WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting
Overview
WordPress Plugin "WP Admin UI Customize" contains a cross-site scripting vulnerability.
Products Affected
- WP Admin UI Customize versions prior to ver 1.5.14
Description
WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).
Impact
If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the following version that addresses this vulnerability.
- WP Admin UI Customize ver 1.5.14
Vendor Status
| Vendor | Link |
| gqevu6bsiz | WP Admin UI Customize | Changelog |
| WP Admin UI Customize Update (1.5.14) (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score:
4.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Ibuki Sato reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-53278 |
| JVN iPedia |
JVNDB-2024-000121 |