RafflePress Lite < 1.12.14 – Editor+ Stored XSS | CVE 2024-3963 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks

Proof of Concept

Note: This was partially fixed in 1.12.3, but if the payload was entered on a previous version of the plugin and then upgraded, the XSS still runs.

1. Go to "Rafflepress > Add New"
2. Add a new "Classic Giveway"
3. For the Giveaway description, enter the payload: `<meter value=2 min=0 max=10 onmouseover=alert(document.cookie)>2 out of 10</meter>`
4. Save and preview to see the XSS

Affects Plugins

Fixed in 1.12.14

References

CVE

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Aryom

Submitter

Krugov Aryom

Verified

Yes

WPVDB ID

827d738e-5369-431e-8438-b5c4d8c1f8f1

Timeline

Publicly Published

2024-06-22 (about 1 year ago)

Added

2024-06-22 (about 1 year ago)

Last Updated

2024-06-22 (about 1 year ago)

Other

Published

Title

Published

2023-12-22

Title

WordPress Infinite Scroll - Ajax Load More < 6.2 - Contributor+ Stored XSS

Published

2025-11-14

Title

SKT Skill Bar < 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-08-01

Title

Student Result or Employee Database < 1.8.0 - Unauthorised REST Calls

Published

2024-09-30

Title

Bold Page Builder < 5.1.1- - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-12-04

Title

Jetpack 13.0-14.0 - Unauthenticated DOM-XSS