CVE-2024-8965
Absolute Reviews <= 1.1.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria NameThe Absolute Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Name' field of a custom post criteria in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 453 live websites that are affected by CVE-2024-8965.
Affected Software
| Product |  Absolute Reviews |
| Category | Wordpress Plugins |
| Vulnerable Domains | 453 live websites (27% of Absolute Reviews install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 9 versions ( 75% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 27, 2024
- Updated - Sep 27, 2024
Credits
- Muhammad Adel (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-8965 United States | 130 websites |
 Poland | 83 websites |
 Germany | 43 websites |
 France | 27 websites |
 Cyprus | 15 websites |
 Italy | 15 websites |
 Netherlands | 13 websites |
 GB | 12 websites |
 Russia | 11 websites |
 Vietnam | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2024-8965| .com | 173 websites |
| .pl | 72 websites |
| .org | 26 websites |
| .de | 15 websites |
| .net | 12 websites |
| .ru | 10 websites |
| .nl | 9 websites |
| .it | 7 websites |
| .ca | 6 websites |
| .fr | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-8965
Top websites that are affected by CVE-2024-8965. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****************.org | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| *******.*******.net | United States | ***,*** | |
| ********.com | Italy | ***,*** | |
| *******.com | France | ***,*** | |
| *************.com | United States | ***,*** | |
| **********.***.uk | GB | ***,*** | |
| ********.com | United States | ***,*** | |
| ********.com |  India | ***,*** | |
| ************.com | United States | ***,*** |
FAQ
CVE-2024-8965 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Absolute Reviews
A total of 453 websites have been identified as vulnerable to CVE-2024-8965, based on global website indexing conducted by WebTechSurvey.
The Absolute Reviews is affected by the CVE-2024-8965 vulnerability.
Absolute Reviews versions up to and including 1.1.3 are vulnerable to CVE-2024-8965.