Stored Cross-Site Scripting Vulnerability in WPBakery Plugin for WordPress
CVE-2024-1805

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WPbakery Visual Composer
Vendor: CVE Published:; 2 May 2024

Summary

The WPBakery plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping in the button onclick attribute. This flaw impacts all versions up to and including 7.5, enabling authenticated attackers with contributor privileges or higher to inject arbitrary scripts into webpages. Consequently, any user visiting an affected page may unwittingly execute malicious web scripts, potentially compromising their security.

Affected Version(s)

WPBakery Visual Composer * <= 7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://kb.wpbakery.com/docs/preface/release-notes/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Feb 22, 2024

Credit

Mdr001