Pocket News Generator <= 0.2.0 – Authenticated (Admin+) Stored Cross-Site Scripting | CVE 2024-2963 | Plugin Vulnerabilities

Description

The Pocket News Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as "Consumer Key" and "Access Token" in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

pocket-news-generator

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2c8a487c-6bd5-480a-9945-ba465b38243f

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Benedictus Jovan

Verified

No

WPVDB ID

22c2f84e-6263-42ac-a94a-3eaac214a48c

Timeline

Publicly Published

2024-03-28 (about 1 months ago)

Added

2024-03-28 (about 1 months ago)

Last Updated

2024-03-28 (about 1 months ago)

Other

Published

Title

Published

2023-07-17

Title

Multiple DeoThemes Themes - Reflected Cross-Site Scripting

Published

2022-07-11

Title

Featured Image from URL < 4.0.1 - Admin+ Stored Cross-Site Scripting

Published

2023-01-30

Title

EmbedStories < 0.7.5 - Contributor+ Stored XSS

Published

2023-11-08

Title

Elementor Website Builder < 3.16.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()

Published

2024-03-29

Title

List category posts < 0.89.7 - Contributor+ Stored XSS