Cross-Site Request Forgery (CSRF) Vulnerability in Custom Shortcode Sidebars Allows Stored XSS
CVE-2024-53736

7.1HIGH

Key Information:

Vendor: WordPress
Status: Custom Shortcode Sidebars
Vendor: CVE Published:; 28 November 2024

What is CVE-2024-53736?

The vulnerability in Jason Grim's Custom Shortcode Sidebars presents a Cross-Site Request Forgery (CSRF) flaw that could allow attackers to manipulate user sessions and perform actions without user consent. This issue is particularly concerning as it leads to Stored Cross-Site Scripting (XSS) attacks, where malicious scripts could be persistently stored and executed in the context of unsuspecting users. Affected versions range from an unspecified release up to version 1.2, highlighting an urgent need for updates to mitigate these security risks.

Affected Version(s)

Custom Shortcode Sidebars <= 1.2

References

https://patchstack.com/database/wordpress/plugin/custom-s...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2024
Vulnerability Reserved
Nov 22, 2024

Credit

SOPROBRO (Patchstack Alliance)