Stored Cross-Site Scripting in ABC Notation Plugin for WordPress
CVE-2024-13551

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Abc Notation
Vendor: CVE Published:; 25 January 2025

Summary

The ABC Notation plugin for WordPress is susceptible to a stored cross-site scripting vulnerability through its 'abcjs' shortcode. This vulnerability affects all versions up to and including 6.1.3 due to inadequate input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level access and higher can exploit this weakness to inject arbitrary web scripts into pages, which may execute whenever users access those compromised pages, potentially leading to unauthorized actions and data exposure.

Affected Version(s)

ABC Notation * <= 6.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/abc-notation/tags/6.1.3...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 25, 2025
Vulnerability Reserved
Jan 20, 2025

Credit

muhammad yudha