Create by Mediavine < 1.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-37495 | Plugin Vulnerabilities

Description

The Create by Mediavine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

mediavine-create

Fixed in 1.9.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1f39c2db-cf9a-4abf-bb43-f7e860b656d4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

LVT-tholv2k

Verified

No

WPVDB ID

543d4d1e-fe1a-4f16-af03-ee2b0e24d158

Timeline

Publicly Published

2024-07-04 (about 1 year ago)

Added

2024-07-10 (about 1 year ago)

Last Updated

2024-07-10 (about 1 year ago)

Other

Published

Title

Published

2025-04-10

Title

WP-Hijri <= 1.5.3 - Reflected Cross-Site Scripting

Published

2024-03-22

Title

Move Addons for Elementor < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-05-27

Title

Smart Online Order for Clover < 1.6.1 - Unauthenticated Stored Cross-Site Scripting

Published

2019-07-16

Title

Coming Soon Page & Maintenance Mode < 1.8.2 - Unauthenticated Stored XSS

Published

2025-02-24

Title

PlayerJS < 2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting