WordPress Plugin Vulnerabilities

Click To Tweet <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Click To Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
click-to-tweet
No known fix

References

CVE
CVE-2024-23514
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7eee591c-2676-479c-ab15-96da10f51ae0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
ab230585-a320-4b19-b97d-877a5c2e2e6a

Timeline

Publicly Published
2024-01-30 (about 2 years ago)
Added
2024-02-04 (about 2 years ago)
Last Updated
2024-02-04 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
pdf.js < 2.0.943 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2023-05-22
Title
Contact Form Entries < 1.3.1 - Contributor+ Stored XSS
Published
2024-11-20
Title
SuevaFree Essential Kit < 1.1.4 - Contributor+ Stored XSS
Published
2024-11-19
Title
LeanPress <= 1.0.0 - Reflected Cross-Site Scripting
Published
2023-01-31
Title
Namaste! LMS < 2.5.9.4 - Admin+ Stored XSS