Stored Cross-Site Scripting Vulnerability in MarketKing by WordPress
CVE-2024-13519
4.4MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 18 January 2025
Summary
The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress presents a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This issue allows authenticated attackers with Shop Manager permissions and above to inject arbitrary scripts into plugin settings. The injected scripts can execute on any page accessed by users, posing a significant risk, especially in multi-site installations where unfiltered_html is disabled.
Affected Version(s)
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution * <= 1.9.80
References
CVSS V3.1
Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Karolina Jankowska