CVE-2024-6447

Name of the Vulnerable Software and Affected Versions The FULL – Cliente plugin for WordPress versions up to, and including, 3.1.12

Description The issue is related to Stored Cross-Site Scripting via the license plan parameter due to insufficient input sanitization and output escaping, as well as missing authorization and capability checks on the related functions. This allows unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrative user accesses the wp-admin dashboard.

Recommendations For versions up to, and including, 3.1.12, update to a version that addresses the insufficient input sanitization and output escaping, and ensures proper authorization and capability checks on the related functions. As a temporary workaround, consider restricting access to the license plan parameter to minimize the risk of exploitation.