Stored Cross-Site Scripting Vulnerability in WP SHAPES Plugin for WordPress
CVE-2024-9619

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Shapes
Vendor: CVE Published:; 20 December 2024

Summary

The WP SHAPES plugin for WordPress is susceptible to a stored cross-site scripting (XSS) vulnerability due to inadequate input sanitization and output escaping. This vulnerability affects all versions up to and including 1.0.0, enabling authenticated attackers with Author-level access and higher to exploit the flaw by uploading SVG files containing malicious web scripts. These scripts can execute when unsuspecting users access the SVG files, posing significant security risks to the integrity of web pages and the safety of user data.

Affected Version(s)

WP SHAPES 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-shapes/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 20, 2024
Vulnerability Reserved
Oct 8, 2024

Credit

Francesco Carlucci