Stored Cross-Site Scripting in RSS Icon Widget Plugin for WordPress
CVE-2024-12203

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Rss Icon Widget
Vendor: CVE Published:; 17 January 2025

What is CVE-2024-12203?

The RSS Icon Widget plugin for WordPress is susceptible to stored cross-site scripting through the 'link_color' parameter due to inadequate input sanitization and output escaping. This vulnerability allows authenticated attackers, specifically those with administrator-level access, to inject malicious web scripts that get executed whenever users access the compromised page. It particularly impacts multi-site installations and setups where unfiltered_html has been disabled, raising serious security concerns for affected sites.

Affected Version(s)

RSS Icon Widget * <= 5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/rss-icon-widge...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 17, 2025
Vulnerability Reserved
Dec 4, 2024

Credit

Yamil Rosa