WordPress Plugin Vulnerabilities

IMPress for IDX Broker < 3.2.3 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
idx-broker-platinum
Fixed in 3.2.3

References

CVE
CVE-2024-44047
URL
https://patchstack.com/database/vulnerability/idx-broker-platinum/wordpress-impress-for-idx-broker-plugin-3-2-1-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Michael
Verified
No
WPVDB ID
8a81d7d4-f839-4342-aa5b-8cb10d74841b

Timeline

Publicly Published
2024-09-16 (about 1 year ago)
Added
2024-09-24 (about 1 year ago)
Last Updated
2024-10-28 (about 1 year ago)

Other

Published
Title
Published
2026-02-24
Title
Secure Copy Content Protection and Content Locking < 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
Published
2024-11-27
Title
Kudos Donations – Easy donations and payments with Mollie < 3.3.0 - Reflected Cross-Site Scripting
Published
2023-12-12
Title
WP Go Maps < 9.0.28 - Unauthenticated Stored XSS
Published
2025-01-16
Title
One Backend Language <= 1.0 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Awesome Hooks <= 1.0.1 - Reflected Cross-Site Scripting