CVE-2024-1958: WPB Show Core < 2.7 - Reflected XSS

Description

The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users

Classification

CVE ID: CVE-2024-1958

Problem Types

CWE-79 Cross-Site Scripting (XSS)

Affected Products

Vendor: Unknown

Product: wpb-show-core

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 30.07% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-1958
https://wpscan.com/vulnerability/8be4ebcf-2b42-4b88-89a0-2df6dbf00b55/

Timeline

2025-03-28 19:40:20 UTC
CVE

WPB Show Core < 2.7 - Reflected XSS