CVE-2024-2304

Summary

CVE-2024-2304 is a vulnerability found in the Animated Headline plugin for WordPress, affecting all versions up to and including 4.0. The vulnerability allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts into pages using the plugin's 'animated-headline' shortcode. Insufficient input sanitization and output escaping on user supplied attributes make it possible for the injected scripts to execute whenever a user accesses an affected page. The risk score for this vulnerability is 25, with a base severity of MEDIUM and a base score of 6.4. The exploitability score is 3.1, indicating a relatively low difficulty in exploiting the vulnerability. The potential danger posed to organizations includes the execution of malicious scripts and potential compromise of confidentiality and integrity, although the impact scores for these factors are low (2.7). Remediation for this vulnerability would involve updating to a version of the plugin that addresses the input sanitization and output escaping issues.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.