Woody code snippets – Insert Header Footer Code, AdSense Ads < 2.5.1 – Admin+ Stored XSS | CVE 2024-35751 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 2.5.1

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/insert-php/vulnerability/wordpress-woody-code-snippets-plugin-2-4-10-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Phill Sav (Savphill)

Verified

No

WPVDB ID

8570fd65-2dab-4025-9a11-1485d452dbb0

Timeline

Publicly Published

2024-06-06 (about 2 years ago)

Added

2024-06-13 (about 2 years ago)

Last Updated

2025-02-10 (about 1 year ago)

Other

Published

Title

Published

2025-07-18

Title

OpenStreetMap for Gutenberg and WPBakery Page Builder <= 1.2.0 - Contributor+ Stored XSS

Published

2021-09-09

Title

MoolaMojo <= 0.7.4.1 - Reflected Cross-Site Scripting

Published

2023-11-07

Title

ANAC XML Bandi di Gara <= 7.5 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-03-25

Title

Super Socializer < 7.13.64 - Editor+ Stored XSS

Published

2023-10-20

Title

Add Custom Body Class <= 1.4.1 - Contributor+ Stored Cross-Site Scripting