CVE-2024-30194
Published: 27 March 2024
Summary
CVE-2024-30194 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Sunshinephotocart Sunshine Photo Cart. Its CVSS base score is 7.1 (High).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-30194 is a reflected cross-site scripting vulnerability (CWE-79) in the Sunshine Photo Cart WordPress plugin. It stems from improper neutralization of input during web page generation and affects all versions through 3.1.1. The flaw carries a CVSS 3.1 score of 7.1 with a network attack vector, low complexity, and no required privileges.
An unauthenticated remote attacker can supply a crafted request that is reflected back to a victim user, allowing execution of arbitrary script in the victim's browser context. Successful exploitation can result in theft of session tokens or other sensitive data, as well as limited impact to confidentiality, integrity, and availability within the affected site.
The referenced Patchstack advisories identify the issue in the sunshine-photo-cart plugin and indicate that the vulnerability is resolved in versions newer than 3.1.1.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.1868 (current value 0.1149), indicating measurable post-disclosure exploitation interest that warrants renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-28126
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.This issue affects Sunshine Photo Cart: from n/a through <= 3.1.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.