Squelch Tabs and Accordions Shortcodes < 0.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via accordions Shortcode | CVE 2024-2499 | Plugin Vulnerabilities

Description

The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'accordions' shortcode in all versions up to, and including, 0.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

squelch-tabs-and-accordions-shortcodes

Fixed in 0.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/adf10ad4-38b2-44be-bdc6-ba6b62e9fbe6

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

a46110b5-8689-4330-810a-9ba74f271aae

Timeline

Publicly Published

2024-04-04 (about 1 months ago)

Added

2024-04-05 (about 1 months ago)

Last Updated

2024-04-05 (about 1 months ago)

Other

Published

Title

Published

2015-08-25

Title

Olevmedia Shortcodes <= 1.1.8 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2023-03-21

Title

VigilanTor < 1.3.11 - Admin+ Stored XSS

Published

2023-10-23

Title

Delete Me < 3.1 - Contributor+ Stored Cross-Site Scripting via Shortcode

Published

2023-11-21

Title

Maspik – Spam blacklist < 0.9.3 - Unauthenticated Stored Cross-Site Scripting via efas_add_to_log

Published

2023-08-28

Title

URL Shortener by MyThemeShop <= 1.0.17 - Reflected XSS