Stored Cross-Site Scripting Vulnerability in Slope Widgets for WordPress
CVE-2024-11902

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Slope Widgets
Vendor: CVE Published:; 17 December 2024

Summary

The Slope Widgets plugin for WordPress, specifically the 'slope-reservations' shortcode, presents a significant risk due to a stored cross-site scripting (XSS) vulnerability. This issue arises from inadequate input sanitization and output escaping for user-supplied attributes. As a result, authenticated users with contributor-level or higher access rights can exploit this flaw to inject arbitrary scripts into web pages. The malicious scripts will execute whenever another user views the compromised page, potentially leading to data theft, account takeover, or other malicious activities. This vulnerability affects all versions up to and including 4.2.11 of the Slope Widgets plugin, making it crucial for users to upgrade to the latest fixed version to mitigate the risk.

Affected Version(s)

Slope Widgets * <= 4.2.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/slope-widgets/...

https://wordpress.org/plugins/slope-widgets/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 17, 2024

Credit

Djaidja Moundjid