WordPress Plugin Vulnerabilities

Animate It! < 2.4.0 - Contributor+ Stored Cross-Site Scripting

Description

The plugin has flawed validations and does not escape its shortcode argument, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks via a malicious shortcode

Proof of Concept

Affects Plugins

Plugin icon
animate-it
Fixed in 2.4.0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
66bfc5d5-fa8f-4b2a-bc2d-476444c2fa12

Timeline

Publicly Published
2022-03-30 (about 4 years ago)
Added
2022-03-30 (about 4 years ago)
Last Updated
2022-03-30 (about 4 years ago)

Other

Published
Title
Published
2022-08-09
Title
Social Slider Feed < 2.0.7 - Admin+ Stored XSS via Feeds
Published
2021-04-30
Title
Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2022-02-07
Title
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
Published
2024-06-28
Title
WP Photo Album Plus < 8.8.00.003 - Reflected Cross-Site Scripting
Published
2025-07-15
Title
Affiliate Reviews < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via numColumns Parameter