WordPress Plugin Vulnerabilities

Website Builder by SeedProd < 6.18.4 - Editor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
coming-soon
Fixed in 6.18.4

References

CVE
CVE-2024-47299
URL
https://patchstack.com/database/vulnerability/coming-soon/wordpress-website-builder-by-seedprod-6-17-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
João Pedro Soares de Alcântara
Verified
No
WPVDB ID
7824cfae-da55-40f6-865e-68d531ab8c49

Timeline

Publicly Published
2024-09-24 (about 1 year ago)
Added
2024-10-03 (about 1 year ago)
Last Updated
2024-10-03 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
WordPress 3.6 - _wp_http_referer Parameter Cross-Site Scripting (XSS)
Published
2024-03-25
Title
Carousel Slider < 2.2.7 - Editor+ Stored XSS
Published
2023-09-01
Title
WP-dTree <= 4.4.5 - Reflected XSS
Published
2020-02-26
Title
Easy Forms for Mailchimp < 6.6.3 - Authenticated Cross-Site Scripting (XSS)
Published
2022-02-14
Title
WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode