CVE-2024-11756

CVSS 3.1 Score 6.4 of 10 (medium)

Details

Published Jan 7, 2025
CWE ID 79

Summary

CVE-2024-11756: A critical vulnerability affects the SweepWidget Contests plugin for WordPress. This issue, which impacts all versions up to 2.0.6, allows authenticated attackers with contributor-level access or higher to inject malicious scripts. The flaw, caused by insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'sweepwidget' shortcode, results in stored Cross-Site Scripting (XSS). Consequently, injected pages can execute arbitrary web scripts whenever a user accesses them.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share