Stored Cross-Site Scripting in Meteor Slides Plugin for WordPress
CVE-2024-12073

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Meteor Slides
Vendor: CVE Published:; 7 January 2025

Summary

The Meteor Slides plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping. This vulnerability allows authenticated attackers with a Contributor-level role or higher to inject malicious scripts through the 'slide_url_value' parameter. When a user accesses the compromised page, the injected script executes, potentially leading to session hijacking, data theft, or other malicious activities. Users of Meteor Slides versions up to and including 1.5.7 are strongly advised to update to the latest version to mitigate this vulnerability.

Affected Version(s)

Meteor Slides * <= 1.5.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/meteor-slides/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Dec 2, 2024

Credit

Brian Sans-Souci