WordPress Plugin Vulnerabilities

Website Content in Page or Post < 2024.04.09 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
show-website-content-in-wordpress-page-or-post
Fixed in 2024.04.09

References

CVE
CVE-2024-2430

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Ayush Juneja
Submitter
Ayush Juneja
Verified
Yes
WPVDB ID
990b7d7a-3d7a-46d5-9aeb-740de817e2d9

Timeline

Publicly Published
2024-06-21 (about 1 year ago)
Added
2024-06-21 (about 1 year ago)
Last Updated
2024-06-21 (about 1 year ago)

Other

Published
Title
Published
2025-09-29
Title
Custom Post Type Attachment <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-24
Title
Page Builder: Live Composer < 1.5.23 - Contributor+ Stored XSS via Shortcode
Published
2025-01-16
Title
Altima Lookbook Free for WooCommerce <= 1.1.0 - Refletced Cross-Site Scripting
Published
2023-10-29
Title
FareHarbor < 3.6.8 - Contributor+ Stored Cross-Site Scripting
Published
2020-08-10
Title
RSS Feed Widget < 2.8.1 - Authenticated Cross-Site Scripting (XSS)