CVE-2024-29809

Name of the Vulnerable Software and Affected Versions admin-ajax.php (affected versions not specified)

Description The issue concerns a reflected Cross Site Scripting vulnerability in the "image url" parameter of the AJAX call to the "editimage bwg" action of admin-ajax.php. This allows an attacker to insert and execute arbitrary JavaScript, but the attacker must target an authenticated user with permissions to access this component to exploit the issue. The "image url" parameter's value is embedded within an existing JavaScript in the response.

Recommendations As a temporary workaround, consider restricting access to the "editimage bwg" action of admin-ajax.php to minimize the risk of exploitation. Avoid using the image url parameter in the affected AJAX endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.