Real Media Library: Media Library Folder & File Manager < 4.22.8 – Contributor+ Stored XSS | CVE 2024-2027 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via its style attributes due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

real-media-library-lite

Fixed in 4.22.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/67a44d4c-da3f-4c3d-997b-1417c6906a9c

Miscellaneous

Original Researcher

Ngô Thiên An (ancorn_), Dau Hoang Tai

Verified

No

WPVDB ID

745c98a5-6e72-4189-b155-decd5cb512e4

Timeline

Publicly Published

2024-03-25 (about 2 years ago)

Added

2024-03-26 (about 2 years ago)

Last Updated

2024-03-26 (about 2 years ago)

Other

Published

Title

Published

2026-02-25

Title

User Registration & Membership < 5.1.3 - Authentication Bypass

Published

2023-06-02

Title

Contact Form Builder by vcita < 4.10.2 - Contributor+ Stored Cross-Site Scripting

Published

2023-08-31

Title

Give - Donation Plugin < 2.33.1 - Authenticated(Give Manager+) Privilege Escalation

Published

2015-01-28

Title

RedSteel Theme - File Disclosure

Published

2024-11-08

Title

RegistrationMagic – User Registration Plugin with Custom Registration Forms < 6.0.2.7 - Unauthenticated Privilege Escalation via Password Recovery