WordPress Plugin Vulnerabilities

Link To Bible < 2.5.10 - Administrator+ Stored XSS

Description

The plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
link-to-bible
Fixed in 2.5.10

References

CVE
CVE-2024-37538
URL
https://patchstack.com/database/vulnerability/link-to-bible/wordpress-link-to-bible-plugin-2-5-9-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Sharanabasappa
Verified
No
WPVDB ID
ae338ce0-0952-4762-8b25-93e9c82f9bd2

Timeline

Publicly Published
2024-07-06 (about 1 year ago)
Added
2024-07-10 (about 1 year ago)
Last Updated
2024-09-13 (about 1 year ago)

Other

Published
Title
Published
2025-08-11
Title
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations < 2.0.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox
Published
2024-05-09
Title
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.20 - Contributor+ Stored Cross-Site Scripting via 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table'
Published
2025-10-02
Title
Interactive Medical Drawing of Human Body <= 2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2026-02-18
Title
Tennis Court Bookings <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings and Calendar Parameters
Published
2024-04-12
Title
Easy Contact Form Lite < 1.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting