CVE-2024-0711 – Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode

https://notcve.org/view.php?id=CVE-2024-0711

The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. El complemento Buttons Shortcode and Widget de WordPress hasta la versión 1.16 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una página/publicación donde está incrustado el shortcode, lo que podría permitir a los usuarios con el rol de colaborador y superior realizar un ataque de Cross-Site Scripting Almacenado. • https://wpscan.com/vulnerability/8e286c04-ef32-4af0-be78-d978999b2a90 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •