CVE-2024-12595: AHAthat Plugin <= 1.6 - Reflected XSS via REQUEST_URI

Description

The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

Classification

CVE ID: CVE-2024-12595

Affected Products

Vendor: Unknown

Product: AHAthat Plugin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/

Timeline

2025-01-03 00:30:18 UTC
CVE

AHAthat Plugin <= 1.6 - Reflected XSS via REQUEST_URI