Page Builder Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-2202

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Page Builder By Siteorigin
Vendor: CVE Published:; 23 March 2024

Summary

The Page Builder by SiteOrigin plugin for WordPress has a vulnerability allowing for Stored Cross-Site Scripting. This issue arises from inadequate input sanitization and output escaping in the legacy Image widget. Authenticated attackers with contributor-level access and above can exploit this vulnerability to inject arbitrary web scripts into pages. The injected scripts will execute when users access the affected pages, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Page Builder by SiteOrigin * <= 2.29.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/siteorigin-pan...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 23, 2024
Vulnerability Reserved
Mar 5, 2024

Credit

Craig Smith