The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure charts can be extended to subscribers.
Metrics
Affected Vendors & Products
References
History
Wed, 07 Aug 2024 13:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 07 Aug 2024 12:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure charts can be extended to subscribers. | |
Title | Organization chart <= 1.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description Parameters | |
Weaknesses | CWE-79 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-08-07T12:30:17.310Z
Updated: 2024-08-07T13:12:15.350Z
Reserved: 2024-07-31T22:24:18.233Z
Link: CVE-2024-7355
Vulnrichment
Updated: 2024-08-07T13:12:09.505Z
NVD
Status : Awaiting Analysis
Published: 2024-08-07T13:16:00.200
Modified: 2024-08-07T15:17:46.717
Link: CVE-2024-7355
Redhat
No data.