tarteaucitron.js for WordPress < 0.3.0 – Author+ Stored XSS | CVE 2024-11718 | Plugin Vulnerabilities

Description

The plugin allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Enable the Iframe Service in the plugin settings
2. As an author, add the HTML payload: `<div class="tac_iframe" data-url='" onload="alert(23)"'></div>`
3. Click on the "Allow" button to see the XSS

Affects Plugins

tarteaucitron-wp

Fixed in 0.3.0

References

CVE

URL

https://github.com/advisories/GHSA-f44m-65h3-99vc

URL

https://bitbucket.org/ccitron/tarteaucitron-wp/src/master/dist/tarteaucitronjs/

URL

https://huntr.com/bounties/a0fd0671-f051-4d41-8928-9b19819084c9

URL

https://packagist.org/packages/couleurcitron/tarteaucitron-wp

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pierre Rudloff

Submitter

Pierre Rudloff

Verified

Yes

WPVDB ID

02da3a49-20e4-4476-a78d-4c627994a90a

Timeline

Publicly Published

2024-10-27 (about 1 year ago)

Added

2025-03-03 (about 9 months ago)

Last Updated

2025-03-03 (about 9 months ago)

Other

Published

Title

Published

2024-02-19

Title

Schema & Structured Data for WP & AMP < 1.27 - Authenticated Stored XSS

Published

2024-11-08

Title

Christian Science Bible Lesson Subjects < 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-14

Title

Fade Slider <= 2.5 - Reflected Cross-Site Scripting

Published

2014-09-22

Title

Wu-Rating 1.0 - wu-ratepost.php v Parameter Reflected XSS

Published

2022-05-23

Title

WP Admin Style <= 0.1.2 - Admin+ Stored Cross-Site Scripting