Stored Cross-Site Scripting in Orbit Fox by ThemeIsle for WordPress
CVE-2024-13183

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Orbit Fox By Themeisle
Vendor: CVE Published:; 10 January 2025

Summary

The Orbit Fox plugin by ThemeIsle for WordPress is susceptible to a stored cross-site scripting (XSS) vulnerability. This flaw arises from inadequate input sanitization and output escaping in the 'title_tag' parameter, permitting authenticated users with Contributor-level access or higher to inject arbitrary web scripts. These malicious scripts could execute on pages accessed by users, creating potential for data exfiltration, session hijacking, or other harmful actions. It is critical for website administrators to update the plugin to the latest version to mitigate this risk and ensure secure interactions.

Affected Version(s)

Orbit Fox by ThemeIsle * <= 2.10.43

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/themeisle-companion/#develo...

https://plugins.trac.wordpress.org/browser/themeisle-comp...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 10, 2025
Vulnerability Reserved
Jan 7, 2025

Credit

Ankit Patel