Stored Cross-Site Scripting in Tabs Shortcode WordPress Plugin
CVE-2024-11606

Currently unrated

Key Information:

Vendor: Wordpress
Status: Tabs Shortcode
Vendor: CVE Published:; 7 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Tabs Shortcode plugin for WordPress, up to version 2.0.2, fails to adequately validate and sanitize shortcode attributes before rendering them on pages or posts. This oversight allows users with contributor-level permissions and higher to exploit this vulnerability, potentially leading to Stored Cross-Site Scripting (XSS) attacks. When successful, an attacker could inject malicious scripts that execute in the browser of any user viewing the affected post or page, creating significant security risks for users and site administrators.

Affected Version(s)

Tabs Shortcode 0 <= 2.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11606 - Proof of Concept

References

https://wpscan.com/vulnerability/76ae8f5b-2d0e-4bf5-9ae3-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Jan 7, 2025
👾
Exploit known to exist
Jan 7, 2025
Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Nov 21, 2024

Credit

Bob Matyas

WPScan