CVE-2024-11778

Summary

CVE-2024-11778 is a stored Cross-Site Scripting (XSS) vulnerability affecting the CanadaHelps Embedded Donation Form plugin for WordPress. This issue, present in all versions up to 1.0.0, allows authenticated attackers with contributor-level access and above to inject malicious scripts into the plugin's 'embedcdn' shortcode. The insufficient input sanitization and output escaping on user-supplied attributes enable the attacker to execute arbitrary web scripts, posing a significant security risk for affected sites. Whenever a user accesses an injected page, the injected scripts will run, potentially leading to unauthorized data access, information theft, or other malicious activities. It is crucial for WordPress users to update the CanadaHelps plugin to the latest version to mitigate this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.