CVE-2024-10107 – This vulnerability in the RafflePress WordPress... (How to Fix)

Q: What is the severity of CVE-2024-10107?

CVE-2024-10107 has a CVSS score of 4.8 (MEDIUM). This vulnerability in the RafflePress WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress multisite installations where the unfiltered_html capability is restricted. The stored XSS attack requires admin-level privileges to initiate.

📋 TL;DR

This vulnerability in the RafflePress WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress multisite installations where the unfiltered_html capability is restricted. The stored XSS attack requires admin-level privileges to initiate.

💻 Affected Systems

Products:

Giveaways and Contests by RafflePress WordPress plugin

Versions: All versions before 1.12.17

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Particularly relevant for WordPress multisite installations where unfiltered_html capability is disallowed for administrators.

📦 What is this software?

Rafflepress by Seedprod

View all CVEs affecting Rafflepress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin access could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users when they view the plugin settings page.

🟠

Likely Case

Malicious admin injects tracking scripts or defaces the plugin settings page visible to other administrators, but limited to the plugin's settings interface.

🟢

If Mitigated

With proper privilege separation and input validation, impact is limited to the specific admin user's actions within the plugin settings area.

🌐 Internet-Facing: MEDIUM - WordPress sites are typically internet-facing, but exploitation requires admin credentials and affects only the plugin settings interface.

🏢 Internal Only: LOW - The vulnerability requires admin access, which should already be limited to trusted users in internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires admin access but simple XSS payload injection.

Exploitation requires WordPress administrator privileges. The vulnerability is in plugin settings that aren't typically user-facing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.17

Vendor Advisory: https://wpscan.com/vulnerability/83590cad-6bfb-4dc7-b8fd-aecbc66f3c33/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Giveaways and Contests by RafflePress'. 4. Click 'Update Now' if available, or download version 1.12.17+ from WordPress.org. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the RafflePress plugin until patched

wp plugin deactivate rafflepress

Restrict admin access

all

Limit administrator accounts to only essential personnel

🧯 If You Can't Patch

Remove administrator access from untrusted users
Implement Content Security Policy headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → RafflePress version. If version is below 1.12.17, you are vulnerable.

Check Version:

wp plugin get rafflepress --field=version

Verify Fix Applied:

Verify plugin version is 1.12.17 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin setting modifications by admin users
JavaScript injection patterns in plugin option updates

Network Indicators:

Unexpected JavaScript loading from plugin settings pages

SIEM Query:

source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="rafflepress" AND version<"1.12.17"

📊 Metadata

CVE ID: CVE-2024-10107

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.8th percentile)

Published: May 15, 2025

Last Updated: June 4, 2025

🔗 References

https://wpscan.com/vulnerability/83590cad-6bfb-4dc7-b8fd-aecbc66f3c33/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/83590cad-6bfb-4dc7-b8fd-aecbc66f3c33/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10107, you might also want to check these: