ConeBlog – WordPress Blog Widgets < 1.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-37918 | Plugin Vulnerabilities

Description

The ConeBlog – WordPress Blog Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

coneblog-widgets

Fixed in 1.4.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/46e47284-2757-40d0-ac76-292a690cfcbb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro Soares de Alcântara

Verified

No

WPVDB ID

ec411304-9d15-40b5-933d-e798159454fd

Timeline

Publicly Published

2024-07-09 (about 1 year ago)

Added

2024-07-15 (about 1 year ago)

Last Updated

2024-07-15 (about 1 year ago)

Other

Published

Title

Published

2024-11-22

Title

Memberlite Shortcodes < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via memberlite_accordion Shortcode

Published

2016-01-28

Title

trMedia for WordPress <= 3.10.1 - XSS

Published

2024-07-10

Title

Calendar.online / Kalender.digital < 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-01

Title

Lightweight and Responsive Youtube Embed <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2020-12-12

Title

Directories Pro < 1.3.46 - Authenticated Reflected Cross-Site Scripting