Stored Cross-Site Scripting Vulnerability in WP SHAPES Plugin for WordPress

CVE-2024-9619

6.4MEDIUM

Key Information

Vendor: Holithemes
Status: WP Shapes
Vendor: CVE Published:; 20 December 2024

Summary

The WP SHAPES plugin for WordPress is susceptible to a stored cross-site scripting (XSS) vulnerability due to inadequate input sanitization and output escaping. This vulnerability affects all versions up to and including 1.0.0, enabling authenticated attackers with Author-level access and higher to exploit the flaw by uploading SVG files containing malicious web scripts. These scripts can execute when unsuspecting users access the SVG files, posing significant security risks to the integrity of web pages and the safety of user data.

Affected Version(s)

WP SHAPES = 1.0.0

Refferences

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-shapes/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2024
Vulnerability Reserved
Oct 8, 2024

Collectors

NVD DatabaseMitre Database

Credit

Francesco Carlucci