CVE-2024-9607

Name of the Vulnerable Software and Affected Versions 10Web Social Post Feed plugin for WordPress versions up to, and including, 1.2.9

Description The issue arises from the use of add query arg without proper escaping on the URL, leading to Reflected Cross-Site Scripting. This allows unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user performs a specific action, such as clicking on a link. The exploitability of this issue is conditional upon the presence of the 'leave a review' notice.

Recommendations For versions up to, and including, 1.2.9, update to a version that fixes this issue to prevent Reflected Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to pages where the 'leave a review' notice is present to minimize the risk of exploitation.