Stored XSS Vulnerability Affects Counter Up Plugin
CVE-2024-10895

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Counter Up – Animated Number Counter & Milestone Showcase
Vendor: CVE Published:; 27 November 2024

Summary

The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability, stemming from inadequate input sanitization and output escaping when using the 'lgx-counter' shortcode. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts execute whenever other users access the compromised pages, posing a significant security risk for WordPress sites utilizing this plugin.

Affected Version(s)

Counter Up – Animated Number Counter & Milestone Showcase * <= 2.4.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-counter-up/...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 27, 2024
Vulnerability Reserved
Nov 5, 2024

Credit

Peter Thaleikis