Tracking Code Manager < 2.4.0 – Contributor+ Stored XSS | CVE 2024-10309 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Proof of Concept

1. Add a new post as a Contributor.
2. In the "Tracking Code by Data443" metabox, add a title in the "Or add a name" box, and one of the following payloads in the "and paste HTML code here" box:

// Payload with HTML encoding
&lt;script&gt;alert(/xss/)&lt;script&gt;

// Payload using `onload` attribute
<img src=https://s.w.org/style/images/about/WordPress-logotype-wmark.png onload=alert(/xss/)>

3. Save the post and view the preview to trigger the XSS payload.

Affects Plugins

tracking-code-manager

Fixed in 2.4.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

9eb21250-34bd-4600-a0a5-7c5117f69f04

Timeline

Publicly Published

2025-01-09 (about 11 months ago)

Added

2025-01-09 (about 11 months ago)

Last Updated

2025-01-09 (about 11 months ago)

Other

Published

Title

Published

2022-05-09

Title

Birthdays Widget <= 1.7.18 - Admin+ Stored Cross Site Scripting

Published

2017-11-29

Title

WordPress 4.3.0-4.9 - HTML Language Attribute Escaping

Published

2025-02-23

Title

Wired Impact Volunteer Management < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-04-13

Title

CM Download Manager < 2.8.0 - Unauthenticated Reflected Cross Site Scripting (XSS)

Published

2025-05-13

Title

Post Slider and Carousel with Widget < 3.2.10 - Admin+ Stored XSS