WordPress Plugin Vulnerabilities

WordPress Tag and Category Manager – AI Autotagger < 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The WordPress Tag and Category Manager – AI Autotagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'st_tag_cloud' shortcode in all versions up to, and including, 3.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
simple-tags
Fixed in 3.20.0

References

CVE
CVE-2024-2830
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f537479-d5ec-46bb-a04e-2c33a2abc759

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
94b2bf74-481d-473d-b57d-ab28ea933e34

Timeline

Publicly Published
2024-04-03 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2024-11-18
Title
Chameleoni Jobs < 2.5.5 - Reflected Cross-Site Scripting
Published
2025-11-10
Title
Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-02
Title
Gravel <= 1.6 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
Multiple Themify Themes - Reflected Cross-Site Scripting
Published
2021-08-10
Title
Picture Gallery < 1.4.4 - Authenticated Stored XSS