Stored Cross-Site Scripting in Auto iFrame WordPress Plugin
CVE-2024-10151

Currently unrated

Key Information:

Vendor
Wordpress
Status
Auto Iframe
Vendor
CVE Published:
8 January 2025

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

The Auto iFrame WordPress plugin prior to version 2.0 exhibits a vulnerability where it fails to properly validate and escape certain shortcode attributes. This flaw enables users with contributor roles or higher permissions to execute Stored Cross-Site Scripting (XSS) attacks, potentially compromising website integrity and user data security. Utilizing this vulnerability, attackers can inject malicious scripts into posts or pages, affecting unsuspecting visitors.

Affected Version(s)

Auto iFrame 0 < 2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10151 - Proof of Concept

References

https://wpscan.com/vulnerability/487facf7-8880-48b3-b1b2-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

WPScan
.