CVE-2024-9703

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 18, 2024 / Updated: 32d ago

010
CVSS 5.4EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 2.1.12. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. It allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, which will execute whenever a user accesses an injected page.

Impact

This vulnerability could allow attackers to inject malicious scripts into WordPress pages using the Arconix Shortcodes plugin. When users visit the affected pages, these scripts would execute in their browsers, potentially leading to: 1. Theft of sensitive information, including cookies and session tokens 2. Unauthorized actions performed on behalf of the victim 3. Defacement of the website 4. Redirection of users to malicious websites 5. Installation of malware on users' devices The impact is somewhat limited as it requires an authenticated user with at least contributor-level access, and user interaction is required for the attack to be successful.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in version 2.1.13 of the Arconix Shortcodes plugin. The patch was added on 2024-10-22, as indicated by the patchDetails in the provided data.

Mitigation

To mitigate this vulnerability, the following steps are recommended: 1. Update the Arconix Shortcodes plugin to version 2.1.13 or later as soon as possible. 2. If immediate updating is not possible, consider temporarily disabling the Arconix Shortcodes plugin until the update can be applied. 3. Review and limit user roles with contributor-level access or higher to trusted individuals only. 4. Implement regular security audits of WordPress plugins and themes. 5. Use Web Application Firewalls (WAF) to help detect and block XSS attacks. 6. Educate content creators about the risks of using shortcodes and the importance of validating user input. 7. Monitor for any suspicious activity or unauthorized changes to pages, especially those using the 'button' shortcode from this plugin.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9703. See article

Oct 18, 2024 at 6:59 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 18, 2024 at 7:00 AM
CVE Assignment

NVD published the first details for CVE-2024-9703

Oct 18, 2024 at 7:15 AM
CVSS

A CVSS base score of 6.4 has been assigned.

Oct 18, 2024 at 7:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 14.8%)

Oct 19, 2024 at 10:57 AM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 22, 2024 at 3:30 PM / nvd
Static CVE Timeline Graph

Affected Systems

Tychesoftwares/arconix_shortcodes
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
CVE-2024-9703
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Arconix Shortcodes <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Tychesoftwares - MEDIUM - CVE-2024-9703 The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-9703 - Arconix Shortcodes Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2024-9703 Published : Oct. 18, 2024, 7:15 a.m. 19 minutes ago Description : The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4
CVE-2024-9703
The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI