Plugin Vulnerability: Stored Cross-Site Scripting (XSS) in Advanced WordPress Backgrounds
CVE-2024-8045

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Advanced WordPress Backgrounds
Vendor: CVE Published:; 11 September 2024

Summary

The Advanced WordPress Backgrounds plugin for WordPress has a vulnerability that allows authenticated attackers with Contributor-level access or above to exploit an insufficient input sanitization and output escaping flaw via the ‘imageTag’ parameter. By injecting arbitrary web scripts into pages, attackers can manipulate the content delivered to users who access those pages, potentially leading to session hijacking, data theft, or other malicious actions. This vulnerability highlights the importance of robust code validation and user input sanitization within web applications.

Affected Version(s)

Advanced WordPress Backgrounds * <= 1.12.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/advanced-backg...

https://wordpress.org/plugins/advanced-backgrounds/#devel...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 11, 2024
Vulnerability Reserved
Aug 21, 2024

Credit

Craig Smith