CVE-2024-1658

Grid Shortcodes < 1.1.1 - Contributor+ Stored XSS

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The Grid Shortcodes WordPress plugin before 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

El complemento Grid Shortcodes de WordPress anterior a 1.1.1 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una página/publicación donde está incrustado el shortcode, lo que podría permitir a los usuarios con el rol de colaborador y superiores realizar un ataque de Cross-Site Scripting Almacenado

*Credits: Dmitrii Ignatyev, WPScan

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-03-18 CVE Published
2024-03-19 EPSS Updated
2024-08-01 CVE Updated
2024-08-01 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://wpscan.com/vulnerability/9489925e-5a47-4608-90a2-0139c5e1c43c	2024-08-01

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Unknown Search vendor "Unknown"		Grid Shortcodes Search vendor "Unknown" for product "Grid Shortcodes"				< 1.1.1 Search vendor "Unknown" for product "Grid Shortcodes" and version " < 1.1.1"		en		Affected