CVE-2024-11880

Description

The B Testimonial – testimonial plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'b_testimonial' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PUBLISHED Reserved 2024-11-27 | Published 2024-12-04 | Updated 2024-12-04 | Assigner Wordfence

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Timeline

Credits

Peter Thaleikis finder

References

www.wordfence.com/...-02fa-4f4e-a578-855d3331b200?source=cve

plugins.trac.wordpress.org/...l/tags/1.2.2/inc/theme/one.php

plugins.trac.wordpress.org/...timonial&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...monial/trunk/inc/theme/one.php

cve.org (CVE-2024-11880)

nvd.nist.gov (CVE-2024-11880)

Download JSON