WordPress Plugin Vulnerabilities

MyBookTable Bookstore < 3.3.8 - Authenticated (Author+) Stored Cross-Site Scripting

Description

The MyBookTable Bookstore plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SEO post data in versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
mybooktable
Fixed in 3.3.8

References

CVE
CVE-2024-29772
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a15f8a5a-dccf-476e-9a40-e9ea11dc46f6

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
CatFather
Verified
No
WPVDB ID
13d2290b-a2b5-41f3-bc33-9ef2511da202

Timeline

Publicly Published
2024-03-25 (about 2 years ago)
Added
2024-04-01 (about 2 years ago)
Last Updated
2024-04-01 (about 2 years ago)

Other

Published
Title
Published
2015-02-22
Title
Google Doc Embedder <= 2.5.18 - Cross-Site Scripting (XSS)
Published
2023-07-18
Title
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Published
2023-01-16
Title
Restaurant Menu < 2.3.6 - Contributor+ Stored XSS via Shortcode
Published
2024-11-25
Title
Parsi Date < 5.1.2 - Reflected Cross-Site Scripting via add_query_arg Parameter
Published
2021-09-01
Title
Zoho CRM Lead Magnet < 1.7.2.9 - Admin+ Stored Cross-Site Scripting