Stored Cross-Site Scripting in Sticky Buttons Plugin for WordPress
CVE-2024-0703

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Sticky Buttons – floating buttons builder
Vendor: CVE Published:; 23 January 2024

Summary

The Sticky Buttons plugin for WordPress is susceptible to a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This issue affects all versions up to and including 3.2.2, primarily impacting multi-site installations or those with unfiltered_html disabled. Authenticated attackers with administrator privileges can exploit this flaw by injecting malicious web scripts into pages, which would execute upon user access, compromising the security of the site.

Affected Version(s)

Sticky Buttons – floating buttons builder * <= 3.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 23, 2024
Vulnerability Reserved
Jan 18, 2024

Credit

Dipak Panchal