Parallax Image Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-9898

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Parallax Image
Vendor: CVE Published:; 17 October 2024

Summary

The Parallax Image plugin for WordPress contains a vulnerability that allows attackers with contributor-level access or higher to execute arbitrary web scripts through the dd-parallax shortcode. This vulnerability arises from insufficient input sanitization and output escaping, which enables the injection of malicious code into web pages. When a user accesses a compromised page, the injected scripts execute, potentially compromising sensitive information and user sessions. The issue affects all versions up to and including 1.8, making it crucial for site administrators to ensure they are using updated and secure versions of the plugin.

Affected Version(s)

Parallax Image * <= 1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/parallax-image...

https://wordpress.org/plugins/parallax-image/#developers

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 17, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

Peter Thaleikis