WordPress Plugin Vulnerabilities

Tracking Code Manager < 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Tracking Code Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the tracking code field in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-10309 is a duplicate of this issue.

Affects Plugins

Plugin icon
tracking-code-manager
Fixed in 2.4.0

References

CVE
CVE-2024-8721
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/443d2e80-31db-40ac-9c35-88eec841ebba

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
TANG Cheuk Hei (siunam)
Verified
No
WPVDB ID
50b5ce16-973f-41e6-be7f-c900f6b8b51b

Timeline

Publicly Published
2024-12-23 (about 1 year ago)
Added
2024-12-23 (about 1 year ago)
Last Updated
2025-02-19 (about 1 year ago)

Other

Published
Title
Published
2023-09-26
Title
flowpaper < 2.0.4 - Contributor+ Stored XSS
Published
2023-01-25
Title
Opening Hours <= 2.3.0 - Contributor+ Stored XSS via Shortcode
Published
2023-11-06
Title
Social Feed <= 1.5.4.6 - Author+ Stored XSS
Published
2026-01-08
Title
Easy Media Download < 1.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
FWD Slider <= 1.0 - Reflected Cross-Site Scripting