Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart.This issue affects Sunshine Photo Cart: from n/a through <= 3.1.1.
Security readout for executives and security teams
Plain-English summary
CVE-2024-30194 is a reflected cross-site scripting flaw in the WordPress Sunshine Photo Cart plugin through version 3.1.1. An attacker could trick a user into visiting a crafted link, causing script to run in that user’s browser in the site context.
Executive priority
Treat this as a near-term web application risk, especially for public WordPress sites handling customer galleries or commerce. It is high severity, but current evidence provided here does not confirm active exploitation.
Technical view
The issue is CWE-79 improper neutralization during web page generation. CVSS 3.1 is 7.1 high: network reachable, low complexity, no privileges required, user interaction required, scope changed, with low confidentiality, integrity, and availability impact.
Likely exposure
Exposure is limited to WordPress sites running Sunshine Photo Cart version 3.1.1 or earlier. Public-facing photography commerce or client gallery sites are the most relevant assets. The provided sources do not name other affected products.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. Practical abuse requires user interaction, typically getting a victim to open a maliciously crafted URL or page that reflects unsafe input.
Researcher notes
Evidence identifies reflected XSS through Sunshine Photo Cart 3.1.1 with CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Patch or exact fixed version is not stated in the supplied bundle, so remediation should be verified against vendor guidance.
Mitigation direction
Inventory WordPress sites for the Sunshine Photo Cart plugin.
Prioritize any installation running version 3.1.1 or earlier.
Check vendor or Patchstack guidance for a confirmed fixed version.
Disable or remove the plugin where business impact permits until remediated.
Use existing WAF and security controls to reduce reflected XSS exposure.
Validation and detection
Confirm plugin presence and version from WordPress administration or asset inventory.
Verify whether exposed sites are internet-facing and user-accessible.
Check vulnerability management records for CVE-2024-30194 coverage.
Review web logs for unusual requests to Sunshine Photo Cart endpoints.
Document compensating controls if immediate update or removal is not possible.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.