WordPress Plugin Vulnerabilities

SiteOrigin Widgets Bundle < 1.58.2 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the code editor due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to perform Stored XSS attacks

Affects Plugins

Plugin icon
so-widgets-bundle
Fixed in 1.58.2

References

CVE
CVE-2024-0961
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f7c164f-2f78-4857-94b9-077c2dea13df

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
2c1b3942-5234-4523-99a7-2606e20349b5

Timeline

Publicly Published
2024-01-29 (about 2 years ago)
Added
2024-01-31 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2024-09-23
Title
WP Travel < 9.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-04-04
Title
URL Shortify < 1.10.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-06-07
Title
Formula < 0.5.2 - Reflected Cross-Site Scripting via ti_customizer_notify_dismiss_recommended_plugins
Published
2023-04-13
Title
Watu Quiz < 3.3.9.3 - Reflected XSS
Published
2024-03-18
Title
Tourfic < 2.11.8 - Reflected Cross-Site Scripting