Sheets To WP Table Live Sync < 3.7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-34375 | Plugin Vulnerabilities

Description

The Table Plugin for WordPress with Google Sheets Integration – Sheets to WP Table Live Sync plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

sheets-to-wp-table-live-sync

Fixed in 3.7.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/45112069-9831-41d5-b868-8007ccfe9839

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Manab Jyoti Dowarah

Verified

No

WPVDB ID

1ca389b4-1453-478c-aec6-9d3bb4f40a46

Timeline

Publicly Published

2024-05-03 (about 2 years ago)

Added

2024-05-07 (about 2 years ago)

Last Updated

2024-05-07 (about 2 years ago)

Other

Published

Title

Published

2023-05-16

Title

WP < 6.2.1 - Contributor+ Content Injection

Published

2024-11-12

Title

Kognetiks Chatbot for WordPress < 2.1.8 - Reflected Cross-Site Scripting

Published

2021-04-19

Title

Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)

Published

2022-06-21

Title

LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting

Published

2024-03-29

Title

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Widget