Heateor Social Login < 1.1.31 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode | CVE 2024-24712 | Plugin Vulnerabilities

Description

The Heateor Social Login WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in version Ngô Thiên An (ancorn_ from VNPT-VCI) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

heateor-social-login

Fixed in 1.1.31

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a3ebfba-7523-48a4-a315-4395be2cebef

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ngô Thiên An (ancorn_)

Verified

No

WPVDB ID

01def05e-6194-4e4d-a1e5-2077d0756c01

Timeline

Publicly Published

2024-01-31 (about 2 years ago)

Added

2024-02-02 (about 2 years ago)

Last Updated

2024-02-02 (about 2 years ago)

Other

Published

Title

Published

2026-02-13

Title

PixelYourSite < 11.2.0.1 - Unauthenticated Stored XSS

Published

2025-01-16

Title

QR Code Generator <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-16

Title

Easy Shortcode Buttons <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-31

Title

byBrick Accordion <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-27

Title

FAQ Builder AYS < 1.7.2 - Reflected Cross-Site Scripting