WordPress Plugin Vulnerabilities

eHive Objects Image Grid < 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The eHive Objects Image Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ehive_objects_image_grid' shortcode in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ehive-objects-image-grid
Fixed in 2.4.2

References

CVE
CVE-2024-13662
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/638d8ef6-dab0-4cfa-8ecc-af2ded3c6d79

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
e51bf7e6-f7d6-4d91-8b91-0476b94a0cce

Timeline

Publicly Published
2025-01-30 (about 1 year ago)
Added
2025-01-30 (about 1 year ago)
Last Updated
2025-01-31 (about 1 year ago)

Other

Published
Title
Published
2025-04-16
Title
Checkout Files Upload for WooCommerce < 2.2.1 - Contributor+ Stored XSS
Published
2024-09-24
Title
MB Custom Post Types & Custom Taxonomies < 2.7.7 - Admin+ Stored XSS
Published
2024-11-28
Title
Countdown Timer for Elementor < 1.3.7 - Contributor+ Stored XSS
Published
2023-09-12
Title
Jetpack CRM < 5.5.1 - CRM Admin+ XSS
Published
2025-01-17
Title
InFunding – Plugin for Charity & Crowdfunding Website <= 1.0 - Reflected Cross-Site Scripting