Stored Cross-Site Scripting Vulnerability in Outdooractive Embed Plugin for WordPress
CVE-2024-11774

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Outdooractive Embed
Vendor: CVE Published:; 20 December 2024

Summary

The Outdooractive Embed plugin for WordPress has a High severity Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-11774. This vulnerability arises from inadequate input sanitization and output escaping in the 'list2go' shortcode, affecting all versions up to and including 1.5. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject malicious scripts into web pages. Once injected, these scripts can execute whenever a user accesses the compromised page, potentially leading to account compromise, data theft, or spreading malware. It is crucial for users of this plugin to update to the latest version and implement security measures to protect their web applications from XSS attacks.

Affected Version(s)

Outdooractive Embed * <= 1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/outdooractive-...

https://wordpress.org/plugins/outdooractive-embed/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2024
Vulnerability Reserved
Nov 26, 2024

Credit

Djaidja Moundjid