WordPress Plugin Vulnerabilities

Borderless < 1.5.9 - Editor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
borderless
Fixed in 1.5.9

References

CVE
CVE-2024-54211
URL
https://patchstack.com/database/wordpress/plugin/borderless/vulnerability/wordpress-borderless-widgets-elements-templates-and-toolkit-for-elementor-gutenberg-plugin-1-5-7-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
João G. Barbosa (4rCanJ0x!)
Verified
No
WPVDB ID
aa5dac02-8248-4024-93dc-59722f850661

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-11 (about 1 year ago)
Last Updated
2024-12-18 (about 1 year ago)

Other

Published
Title
Published
2021-12-03
Title
Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS
Published
2023-03-29
Title
Weaver Xtreme Theme Support < 6.2.7 - Contributor+ Stored XSS
Published
2024-09-16
Title
Septera <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-03-01
Title
Bank Mellat < 2.0.1 - Reflected Cross-Site Scripting
Published
2025-03-24
Title
Hester <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting