WordPress Plugin Vulnerabilities

VK All in One Expansion Unit < 9.97.0.0 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its child page index widget options (such as className) before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
vk-all-in-one-expansion-unit
Fixed in 9.97.0.0

References

CVE
CVE-2024-2170
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1bc697b3-20f6-46df-a250-f2009a60200e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_), ST
Verified
No
WPVDB ID
914dc94f-e17c-40e8-a87e-c87cb5ac916a

Timeline

Publicly Published
2024-03-25 (about 2 years ago)
Added
2024-03-26 (about 2 years ago)
Last Updated
2024-03-26 (about 2 years ago)

Other

Published
Title
Published
2022-04-28
Title
Ravpage < 2.25 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Jet Skinner for BuddyPress <= 1.2.5 - Reflected Cross-Site Scripting
Published
2024-10-31
Title
amazing neo icon font for elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-18
Title
Newspaper < 12.6.6 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Meta
Published
2012-05-15
Title
Sharebar <= 1.2.1 - SQL Injection & Cross-Site Scripting (XSS)