Structured Content < 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode | CVE 2024-24839 | Plugin Vulnerabilities

Description

The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Classic Editor shortcodes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

structured-content

Fixed in 1.6.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a013106b-4e2a-4dd9-a0ab-7e6c91e715dd

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

LVT-tholv2k

Verified

No

WPVDB ID

81114639-06ab-4dc1-9f6e-f7c39abc924a

Timeline

Publicly Published

2024-02-02 (about 2 years ago)

Added

2024-02-05 (about 2 years ago)

Last Updated

2024-02-05 (about 2 years ago)

Other

Published

Title

Published

2024-03-19

Title

Contests by Rewards Fuel < 2.0.65 - Authenticated (Contributor+) Stored Cross-Site Scripting via update_rewards_fuel_api_key

Published

2025-12-17

Title

My auctions allegro <= 3.6.33 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-11-07

Title

Element Pack Elementor Addons < 5.10.3 - Contributor+ Stored XSS

Published

2024-12-11

Title

AI Content Writer, RSS Feed to Post, Autoblogging SEO Help < 6.1.4 - Reflected Cross-Site Scripting

Published

2025-03-11

Title

Block Spam By Math Reloaded <= 2.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting