Stored Cross-Site Scripting in RSS Icon Widget Plugin for WordPress
CVE-2024-12203

4.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Rss Icon Widget
Vendor
CVE Published:
17 January 2025

Summary

The RSS Icon Widget plugin for WordPress is susceptible to stored cross-site scripting through the 'link_color' parameter due to inadequate input sanitization and output escaping. This vulnerability allows authenticated attackers, specifically those with administrator-level access, to inject malicious web scripts that get executed whenever users access the compromised page. It particularly impacts multi-site installations and setups where unfiltered_html has been disabled, raising serious security concerns for affected sites.

Affected Version(s)

RSS Icon Widget * <= 5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/rss-icon-widge...
https://plugins.trac.wordpress.org/browser/rss-icon-widge...

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yamil Rosa
.