CVE-2024-11902

Summary

CVE-2024-11902 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Slope Widgets plugin for WordPress. This issue, present in all versions up to 4.2.11, enables authenticated attackers with contributor-level access and above to inject malicious scripts through the plugin's 'slope-reservations' shortcode. The lack of proper input sanitization and output escaping on user-supplied attributes leads to the execution of injected scripts whenever a user accesses an affected page. This vulnerability poses a significant risk, as it can lead to data theft, unauthorized account access, and other malicious activities. Users are urged to update to the latest version of the plugin as soon as possible to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.