WordPress Plugin Vulnerabilities

IdeaPush < 8.61 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description

The IdeaPush plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 8.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ideapush
Fixed in 8.61

References

CVE
CVE-2024-37265
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e01dd955-fa25-4cb2-8ab8-a648816857f1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
piro
Verified
No
WPVDB ID
f58a607c-7e29-4bb0-ac3a-206f5e06da93

Timeline

Publicly Published
2024-06-27 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2020-01-31
Title
Auth0 < 3.11.3 - Unauthenticated Reflected XSS via wle Parameter
Published
2023-10-03
Title
Instagram for WordPress <= 2.1.6 - Contributor+ Stored XSS
Published
2024-09-03
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Reflected Cross-Site Scripting via selected_option
Published
2022-12-05
Title
Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS
Published
2016-11-08
Title
WassUp Real Time Analytics <= 1.9 - Cross Site Scripting