CVE-2024-29810

Name of the Vulnerable Software and Affected Versions admin-ajax.php (affected versions not specified)

Description The issue concerns a reflected Cross Site Scripting vulnerability in the thumb url parameter of the AJAX call to the editimage bwg action of admin-ajax.php. This allows an attacker to insert and execute arbitrary JavaScript, as the value of the thumb url parameter is embedded within an existing JavaScript in the response. To exploit this issue, the attacker must target an authenticated user with permissions to access this component.

Recommendations As a temporary workaround, consider restricting access to the editimage bwg action of admin-ajax.php to minimize the risk of exploitation. Avoid using the thumb url parameter in the affected AJAX endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.