Stored Cross-Site Scripting Vulnerability in Tabs Shortcode and Widget WordPress Plugin
CVE-2024-0719

Currently unrated

Key Information:

Vendor: Wordpress
Status: Tabs Shortcode And Widget
Vendor: CVE Published:; 18 March 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Tabs Shortcode and Widget plugin for WordPress, versions up to 1.17, contains a vulnerability due to improper validation and escaping of shortcode attributes. This insufficiency allows users with contributor roles and higher to perform Stored Cross-Site Scripting (XSS) attacks. When the plugin is used to render content, malicious scripts may be executed in the context of a user’s browser. This can potentially lead to data theft, session hijacking, or further exploitation of the website. It is imperative for WordPress site owners using this plugin to ensure they have upgraded to the latest version or applied necessary mitigations.

Affected Version(s)

Tabs Shortcode and Widget 0 <= 1.17

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0719 - Proof of Concept

References

https://wpscan.com/vulnerability/6e67bf7f-07e6-432b-a8f4-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Mar 18, 2024
👾
Exploit known to exist
Mar 18, 2024
Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Jan 19, 2024

Credit

Dmitrii Ignatyev

WPScan