Stored Cross-Site Scripting Vulnerability in List Category Posts Plugin for WordPress
CVE-2024-9020

Currently unrated

Key Information:

Vendor
WordPress
Status
List Category Posts
Vendor
CVE Published:
18 January 2025

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

The List Category Posts Plugin for WordPress, prior to version 0.90.3, is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This issue arises because the plugin fails to properly validate and escape certain shortcode attributes when rendering pages or posts that incorporate these shortcodes. As a result, users with contributor roles or higher could exploit this flaw, executing arbitrary JavaScript code when other users view the affected content. Such attacks can lead to unauthorized actions on behalf of users or disclosure of sensitive information, underscoring the importance of updating to a secured version of the plugin.

Affected Version(s)

List category posts 0 < 0.90.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9020 - Proof of Concept

References

https://wpscan.com/vulnerability/6caa4e5d-8112-4d00-8e97-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
WPScan
.