CVE-2024-11337

Summary

CVE-2024-11337 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Horoscope And Tarot plugin for WordPress. This issue, present in all versions up to 1.3.0, stems from insufficient input sanitization and output escaping on user-supplied attributes within the 'divine_horoscope' shortcode. Consequently, authenticated attackers with contributor-level access or higher can inject arbitrary web scripts, which will execute whenever an unsuspecting user accesses an injected page. This vulnerability poses a significant risk, as it can lead to data theft, unauthorized account access, and other malicious activities. Users of the Horoscope And Tarot plugin are strongly advised to update to the latest version to mitigate this threat.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.