Tithe.ly Giving Button <= 1.1 – Contributor+ Stored XSS via Shortcode | CVE 2024-11841 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Add the following shortcode to a page/post:

`[tithely button="donate now" id='1232' amount='red" onmouseover="alert(/XSS/)"' class="button" give-to="Building Fund"]`

Mouseover the button to see the XSS

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

e344c722-c9b3-4527-a50d-50cdf07ebace

Timeline

Publicly Published

2024-11-25 (about 1 year ago)

Added

2024-12-09 (about 1 year ago)

Last Updated

2024-12-09 (about 1 year ago)

Other

Published

Title

Published

2022-08-01

Title

Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS

Published

2025-07-17

Title

JetBlog <= 2.4.4 - Reflected Cross-Site Scripting

Published

2023-03-02

Title

Easy Testimonial Slider and Form < 1.0.16 - Reflected Cross-Site Scripting

Published

2025-08-23

Title

Doliconnect < 9.4.2 - Reflected Cross-Site Scripting

Published

2024-11-01

Title

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) < 5.10.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Custom Gallery Widget