AutomatorWP < 5.1.0 – Reflected Cross-Site Scripting via a-0-o-search_field_value | CVE 2024-12626 | Plugin Vulnerabilities

Description

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code.

Affects Plugins

Fixed in 5.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c8abcc7b-6c68-4fc8-81af-e88624e417dd

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vincent Fourcade (vinceMatsui)

Verified

No

WPVDB ID

2b7393e8-87cc-469e-9e61-15613a343d64

Timeline

Publicly Published

2024-12-18 (about 1 year ago)

Added

2024-12-18 (about 1 year ago)

Last Updated

2024-12-19 (about 1 year ago)

Other

Published

Title

Published

2021-10-28

Title

Contact Form by Supsystic < 1.7.20 - Admin+ Stored Cross-Site Scripting

Published

2024-01-17

Title

WP To Do < 1.2.9 - Contributor+ Stored XSS

Published

2025-02-03

Title

Include Mastodon Feed < 1.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-08-28

Title

WP Search Analytics < 1.4.8 - Reflected XSS

Published

2022-05-26

Title

Post Grid, Slider & Carousel Ultimate < 1.5.0 - Admin+ Stored XSS