WordPress Plugin Vulnerabilities

Page Builder by SiteOrigin < 2.29.16 - Contributor+ Stored XSS via siteorigin_widget Shortcode

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
siteorigin-panels
Fixed in 2.29.16

References

CVE
CVE-2024-4361
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a97f72f6-86f7-45dc-908a-292ba735071d

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
ad352589-878a-4200-bf09-b838bf3eb90d

Timeline

Publicly Published
2024-05-20 (about 2 years ago)
Added
2024-05-21 (about 2 years ago)
Last Updated
2024-05-21 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
CubePM <= 1.0 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
ClickDesk <= 4.3 - Live Chat Widget Multiple Field XSS
Published
2022-04-04
Title
Social comments by WpDevArt < 2.5.0 - Admin+ Stored Cross-Site Scripting
Published
2022-04-08
Title
Floating Chat Widget < 2.8.4 - Admin+ Stored Cross-Site Scripting
Published
2023-11-14
Title
Website Optimization – Plerdy < 1.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting