WordPress Plugin Vulnerabilities

Media Alt Renamer 0.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via _wp_attachment_image_alt postmeta

Description

The Media Alt Renamer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ postmeta parameter in versions up to 0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
media-alt-renamer
No known fix

References

CVE
CVE-2024-1434
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7826a6ab-50c4-4fc0-b58d-74084172b4e5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Joshua Chan
Verified
No
WPVDB ID
23526d3a-364b-4ca4-b6ff-3afa555d4123

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-02-28 (about 2 years ago)
Last Updated
2024-02-28 (about 2 years ago)

Other

Published
Title
Published
2017-03-01
Title
Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
Published
2022-11-22
Title
Videojs HTML5 Player < 1.1.9 - Contributor+ Stored XSS
Published
2023-05-09
Title
VK Blocks < 1.54.0 - Multiple Stored XSS
Published
2024-01-05
Title
Weaver Xtreme < 6.4 - Contributor+ Stored XSS
Published
2025-04-10
Title
Affiliate Links Lite < 3.2.0 - Reflected Cross-Site Scripting