WordPress Plugin Vulnerabilities

Envo Extra < 1.8.17 - Authenticated (Contributor+) Cross-Site Scripting

Description

The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 1.8.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
envo-extra
Fixed in 1.8.17

References

CVE
CVE-2024-4385
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/83d78ff7-bd59-431e-b579-156e23ede053

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
2c9040ca-9971-40e1-a20f-f5879d94da94

Timeline

Publicly Published
2024-05-15 (about 2 years ago)
Added
2024-05-15 (about 2 years ago)
Last Updated
2024-05-15 (about 2 years ago)

Other

Published
Title
Published
2025-03-19
Title
Zielke Design Project Gallery <= 2.5.0 - Reflected Cross-Site Scripting
Published
2024-11-03
Title
JSFiddle Shortcode < 1.1.3 - Contributor+ XSS via Shortcode
Published
2024-02-26
Title
postMash – custom post order <= 1.2.0 - Reflected Cross-Site Scripting via m
Published
2024-04-24
Title
Tutor LMS – eLearning and online course solution < 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode
Published
2026-04-23
Title
E-cab Taxi Booking Manager for Woocommerce < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting