Template Kit – Export < 1.0.22 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-37550 | Plugin Vulnerabilities

Description

The Template Kit – Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

template-kit-export

Fixed in 1.0.22

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4e7de990-4a6b-4bae-89a2-4a417071fe20

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mahesh Nagabhairava

Verified

No

WPVDB ID

9e6ad707-7634-4155-9ed3-edbbf3557f61

Timeline

Publicly Published

2024-07-06 (about 1 year ago)

Added

2024-07-11 (about 1 year ago)

Last Updated

2024-07-18 (about 1 year ago)

Other

Published

Title

Published

2023-04-01

Title

Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting

Published

2024-02-23

Title

WP Event Manager < 3.1.42 - Reflected Cross-Site Scripting via plugin

Published

2015-08-21

Title

WP Legal Pages < 1.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-05-22

Title

Arforms < 6.4.1 - Reflected XSS

Published

2025-12-15

Title

Document Library Lite < 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting