WordPress Plugin Vulnerabilities

WP To Do < 1.2.9 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wp-todo
Fixed in 1.2.9

References

CVE
CVE-2024-22292
URL
https://patchstack.com/database/vulnerability/wp-todo/wordpress-wp-to-do-plugin-1-2-8-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Kang SeoHee
Verified
No
WPVDB ID
25bd1f27-8b35-418c-9062-6c3447c74f50

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-22 (about 2 years ago)
Last Updated
2024-02-13 (about 2 years ago)

Other

Published
Title
Published
2024-03-28
Title
Geo Controller < 8.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-15
Title
Tapfiliate < 3.0.13 - Admin+ Stored XSS
Published
2023-03-30
Title
PixFields <= 0.7.0 - Contributor+ Stored Cross-Site Scripting
Published
2025-04-30
Title
Remote Images Grabber <= 0.6 - Reflected Cross-Site Scripting
Published
2024-03-29
Title
Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget