CVE-2024-6887

Name of the Vulnerable Software and Affected Versions Giveaways and Contests by RafflePress WordPress plugin versions prior to 1.12.16

Description The issue concerns the Giveaways and Contests by RafflePress WordPress plugin, which does not properly sanitise and escape some of its Giveaways settings. This could allow high privilege users, such as editors and above, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in multisite setups.

Recommendations For versions prior to 1.12.16, update to version 1.12.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the Giveaways settings to minimize the risk of exploitation. Additionally, restrict the capability to edit Giveaways settings to only the most trusted users, such as administrators.