Sidebar Shortcode Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-9885

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Widget Or Sidebar Shortcode
Vendor: CVE Published:; 30 October 2024

What is CVE-2024-9885?

The Widget or Sidebar Shortcode plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) attacks through its 'sidebar' shortcode. This flaw results from inadequate input sanitization and output escaping on user-supplied attributes. As a result, attackers with contributor-level access can inject arbitrary web scripts into pages. Whenever a user visits a page containing these scripts, the injected code executes, posing privacy and security risks to users. It is crucial for users of the plugin to review their installations and take appropriate action to ensure security.

Affected Version(s)

Widget or Sidebar Shortcode * <= 0.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/widget-or-side...

https://wordpress.org/plugins/widget-or-sidebar-per-short...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

Youcef Hamdani