WordPress Plugin Vulnerabilities

WordPress Page Builder – Zion Builder < 3.6.10 - Authenticated (Editor+) Stored Cross-Site Scripting

Description

The WordPress Page Builder – Zion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 3.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
zionbuilder
Fixed in 3.6.10

References

CVE
CVE-2024-30444
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4d8bd9bc-5062-4966-bc44-bfe033d5fc9b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
03f98f5f-642d-4eed-86c4-e91aa9e8d653

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2018-08-30
Title
Jibu Pro <= 1.7 - Stored XSS
Published
2025-01-24
Title
PPOM for WooCommerce < 33.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-03-13
Title
Contact Form by BestWebSoft < 4.2.9 - Reflected Cross-Site Scripting via cntctfrm_contact_subject
Published
2025-09-07
Title
Toast Mobile Menu < 1.0.9 - Unauthenticated Stored Cross-Site Scripting
Published
2024-09-12
Title
WP Meta SEO < 4.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting