WordPress Plugin Vulnerabilities

Scroll Triggered Box <= 2.3 - Authenticated (Editor+) Stored Cross-Site Scripting

Description

The Scroll Triggered Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
dreamgrow-scroll-triggered-box
No known fix

References

CVE
CVE-2024-24865
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b92c3d68-2e3e-4500-8da9-f89373126445

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Savphill
Verified
No
WPVDB ID
d7390a0e-b626-48e0-b07c-b274e68423e6

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-02-05 (about 2 years ago)

Other

Published
Title
Published
2022-06-06
Title
WordPress Security < 4.2.1 - Admin+ Stored Cross-Site Scripting
Published
2025-04-01
Title
ABC Notation <= 6.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-21
Title
Ebook Store < 5.8013 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details
Published
2022-03-21
Title
Easy Smooth Scroll Links < 2.23.1 - Admin+ Stored Cross-Site Scripting
Published
2022-01-18
Title
ProfileGrid < 4.7.5 - Subscriber+ Stored Cross-Site Scripting