WordPress Plugin Vulnerabilities

Jetpack < 13.4 - Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode

Description

The plugin did not properly escape some of its shortcode attributes, allowing users with at least the contributor role to conduct Stored XSS attacks.

Proof of Concept

Affects Plugins

Plugin icon
jetpack
Fixed in 13.4

References

CVE
CVE-2024-4392
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/11dceac7-7ff8-4384-9046-919c38947c32

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
Yes
WPVDB ID
5649d116-5263-41e9-87b4-1cb71f12d419

Timeline

Publicly Published
2024-05-13 (about 1 year ago)
Added
2024-05-14 (about 1 year ago)
Last Updated
2024-05-14 (about 1 year ago)

Other

Published
Title
Published
2023-08-17
Title
93digital Typing Effect < 1.3.7 - Contributor+ Stored XSS
Published
2024-07-16
Title
Ajax Search Lite < 4.12.1 - Admin+ Stored XSS
Published
2024-03-13
Title
Advanced Sermons < 3.3 - Reflected Cross-Site Scripting
Published
2021-06-25
Title
Event Espresso Core < 4.10.7.p - Reflected Cross-Site Scripting (XSS)
Published
2023-11-15
Title
BMI Calculator Plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting