Stored Cross-Site Scripting Vulnerability in Portfolio – Filterable Masonry Portfolio Gallery Plugin for WordPress
CVE-2024-11900

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Portfolio – Filterable Masonry Portfolio Gallery For Professionals
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-11900 highlights a security vulnerability within the Portfolio – Filterable Masonry Portfolio Gallery for Professionals plugin for WordPress. This vulnerability allows authenticated attackers, with contributor-level access or higher, to exploit stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping on attributes supplied by users. The vulnerability affects all versions up to and including 1.2.2 of the plugin. By injecting malicious web scripts into pages, attackers can compromise the integrity of web content and potentially execute harmful scripts whenever users access affected pages.

Affected Version(s)

Portfolio – Filterable Masonry Portfolio Gallery for Professionals * <= 1.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/portfolio-pro/...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 17, 2024

Credit

Peter Thaleikis