Stored Cross-Site Scripting in Ketchup Shortcodes Plugin for WordPress
CVE-2024-13590

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Ketchup Shortcodes
Vendor: CVE Published:; 22 January 2025

Summary

The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in its 'spacer' shortcode. This vulnerability affects all versions up to and including 0.1.2. Authenticated attackers with contributor-level access can exploit this flaw to inject arbitrary web scripts. These scripts will execute in the browsers of users viewing the modified pages, potentially leading to data theft and unauthorized actions.

Affected Version(s)

Ketchup Shortcodes * <= 0.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3222176/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 21, 2025

Credit

zakaria