Stored Cross-Site Scripting Vulnerability in Sell Media Plugin for WordPress
CVE-2024-11777

6.4MEDIUM

Key Information:

Vendor: Endortrails
Status: Sell Media
Vendor: CVE Published:; 7 January 2025

Summary

The Sell Media plugin for WordPress allows for Stored Cross-Site Scripting due to inadequate sanitization and escaping of user-supplied input in the 'sell_media_search_form_gutenberg' shortcode. This vulnerability can be exploited by authenticated users with contributor-level access or higher, enabling them to inject malicious web scripts into pages. These scripts are executed when other users access compromised content, potentially compromising user data and site integrity.

Affected Version(s)

Sell Media * <= 2.5.8.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sell-media/tru...

https://wordpress.org/plugins/sell-media/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Nov 26, 2024

Collectors

NVD DatabaseMitre Database

Credit

Djaidja Moundjid