CVE-2024-10260: Tripetto <= 8.0.3 - Unauthentiated Stored Cross-Site Scripting via Form File Upload
First published: Fri Nov 15 2024(Updated: )
The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tripetto Tripetto | <=8.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-10260?
CVE-2024-10260 has a high severity rating due to its potential for allowing stored cross-site scripting attacks.
How do I fix CVE-2024-10260?
To fix CVE-2024-10260, update the Tripetto plugin to version 8.0.4 or later to ensure proper input sanitization and output escaping.
Who is affected by CVE-2024-10260?
All users of the Tripetto plugin for WordPress versions up to and including 8.0.3 are affected by CVE-2024-10260.
What type of vulnerability is CVE-2024-10260?
CVE-2024-10260 is classified as a Stored Cross-Site Scripting vulnerability.
Can unauthenticated attackers exploit CVE-2024-10260?
Yes, CVE-2024-10260 allows unauthenticated attackers to exploit the vulnerability through file uploads.
- agent/weakness
- agent/references
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/tripetto
- canonical/tripetto tripetto
- version/tripetto tripetto/8.0.3