CVE-2024-5600 - Vulnerability Details - OpenCVE

The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00241.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384
https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-862

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-07-09T08:33:04.702Z

Updated: 2026-04-08T16:47:37.807Z

Reserved: 2024-06-03T17:54:39.950Z

Link: CVE-2024-5600

Vulnrichment

Updated: 2024-08-01T21:18:06.423Z

NVD

Status : Awaiting Analysis

Published: 2024-07-09T09:15:06.960

Modified: 2026-04-08T18:22:09.493

Link: CVE-2024-5600

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-5600", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-06-03T17:54:39.950Z", "datePublished": "2024-07-09T08:33:04.702Z", "dateUpdated": "2026-04-08T16:47:37.807Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:37.807Z"}, "affected": [{"vendor": "happymonkeyagency", "product": "SCSS Happy Compiler \u2013 Compile SCSS to CSS & Automatic Enqueue", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SCSS Happy Compiler \u2013 Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts."}], "title": "Happy SCSS Compiler - Compile SCSS to CSS automatically <= 1.3.10 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-07-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "happymonkeyagency", "product": "scss_happy_compiler", "cpes": ["cpe:2.3:a:happymonkeyagency:scss_happy_compiler:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.10", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T14:22:24.737239Z", "id": "CVE-2024-5600", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:27:29.181Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.423Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.423Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-23T14:22:24.737239Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:happymonkeyagency:scss_happy_compiler:*:*:*:*:*:*:*:*"], "vendor": "happymonkeyagency", "product": "scss_happy_compiler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.10"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:27:24.957Z"}}], "cna": {"title": "Happy SCSS Compiler - Compile SCSS to CSS automatically <= 1.3.10 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "happymonkeyagency", "product": "SCSS Happy Compiler \u2013 Compile SCSS to CSS & Automatic Enqueue", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-07-08T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384"}], "descriptions": [{"lang": "en", "value": "The SCSS Happy Compiler \u2013 Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-07-09T08:33:04.702Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5600", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:06.423Z", "dateReserved": "2024-06-03T17:54:39.950Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-07-09T08:33:04.702Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SCSS Happy Compiler \u2013 Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts."}, {"lang": "es", "value": " El complemento SCSS Happy Compiler \u2013 Compile SCSS to CSS & Automatic Enqueue para WordPress es vulnerable a Cross Site Scripting almacenado debido a una falta de verificaci\u00f3n de capacidad y una sanitizaci\u00f3n insuficiente en la funci\u00f3n import_settings() en todas las versiones hasta la 1.3.10 incluida. . Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, inyecten scripts web maliciosos."}], "id": "CVE-2024-5600", "lastModified": "2026-04-08T18:22:09.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-07-09T09:15:06.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/happy-scss-compiler/trunk/admin/class-hm-wp-scss-admin.php#L384"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d0ecffe-8543-4d82-a1cc-f2474499f373?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}