Stored Cross-Site Scripting Vulnerability in WPBakery Plugin for WordPress
CVE-2024-1841

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WPbakery Visual Composer
Vendor: CVE Published:; 2 May 2024

Summary

The WPBakery plugin for WordPress is susceptible to Stored Cross-Site Scripting due to flawed input sanitization and output escaping in the Post Title tag attribute. This vulnerability allows authenticated attackers, possessing contributor access or higher, to embed malicious scripts that can be executed when users view the affected pages. All versions up to and including 7.5 are at risk, potentially compromising the security of websites that utilize this plugin.

Affected Version(s)

WPBakery Visual Composer * <= 7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://kb.wpbakery.com/docs/preface/release-notes/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Feb 23, 2024

Credit

Mdr001