Vulnerabilites related to gqevu6bsiz - WP Admin UI Customize
CVE-2024-53278 (GCVE-0-2024-53278)
Vulnerability from cvelistv5
Published
2024-11-26 04:33
Modified
2024-11-26 14:09
Severity ?
4.8 (Medium) - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Cross-site scripting (XSS)
Summary
Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen.
References
Impacted products
Vendor Product Version
gqevu6bsiz WP Admin UI Customize Version: prior to ver 1.5.14
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53278",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-26T14:04:17.341392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T14:09:26.088Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WP Admin UI Customize",
          "vendor": "gqevu6bsiz",
          "versions": [
            {
              "status": "affected",
              "version": "prior to ver 1.5.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross-site scripting (XSS)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-26T04:33:51.381Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://wordpress.org/plugins/wp-admin-ui-customize/#developers"
        },
        {
          "url": "https://gqevu6bsiz.chicappa.jp/wp-admin-ui-customize-%E3%82%A2%E3%83%83%E3%83%97%E3%83%87%E3%83%BC%E3%83%881-5-14%E3%82%92%E3%81%97%E3%81%BE%E3%81%97%E3%81%9F/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN87182660/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-53278",
    "datePublished": "2024-11-26T04:33:51.381Z",
    "dateReserved": "2024-11-20T00:41:03.536Z",
    "dateUpdated": "2024-11-26T14:09:26.088Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

jvndb-2024-000121
Vulnerability from jvndb
Published
2024-11-26 13:57
Modified
2024-11-26 13:57
Severity ?
4.8 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting
Details
WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79). Ibuki Sato reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000121.html",
  "dc:date": "2024-11-26T13:57+09:00",
  "dcterms:issued": "2024-11-26T13:57+09:00",
  "dcterms:modified": "2024-11-26T13:57+09:00",
  "description": "WordPress Plugin \"WP Admin UI Customize\" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).\r\n\r\nIbuki Sato reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000121.html",
  "sec:cpe": {
    "#text": "cpe:/a:misc_gqevu6bsiz:wp_admin_ui_customize",
    "@product": "WP Admin UI Customize",
    "@vendor": "gqevu6bsiz",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "4.8",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-000121",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN87182660/index.html",
      "@id": "JVN#87182660",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-53278",
      "@id": "CVE-2024-53278",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "WordPress Plugin \"WP Admin UI Customize\" vulnerable to cross-site scripting"
}