Stored Cross-Site Scripting in Sticky Buttons Plugin for WordPress
CVE-2024-0703

4.8MEDIUM

Key Information:

Vendor

Wordpress
Status
Sticky Buttons – floating buttons builder
Vendor
CVE Published:
23 January 2024

What is CVE-2024-0703?

The Sticky Buttons plugin for WordPress is susceptible to a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This issue affects all versions up to and including 3.2.2, primarily impacting multi-site installations or those with unfiltered_html disabled. Authenticated attackers with administrator privileges can exploit this flaw by injecting malicious web scripts into pages, which would execute upon user access, compromising the security of the site.

Affected Version(s)

Sticky Buttons – floating buttons builder * <= 3.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dipak Panchal
.