Stored Cross-Site Scripting Vulnerability in RSS Feed Widget WordPress Plugin
CVE-2024-9836
Key Information:
- Vendor
- RSS Feed Widget WordPress plugin
- Status
- Rss Feed Widget
- Vendor
- CVE Published:
- 12 November 2024
Badges
Summary
The RSS Feed Widget for WordPress presents a vulnerability where the plugin fails to adequately validate and escape certain shortcode attributes prior to rendering them on a page or post. This oversight may enable users with contributor privileges or higher to potentially execute Stored Cross-Site Scripting (XSS) attacks. Such attacks can lead to the injection of malicious scripts into web pages viewed by other users, compromising their security and privacy.
Affected Version(s)
RSS Feed Widget 0 < 3.0.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved