CVE-2024-9177

Summary

CVE-2024-9177 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Themedy Toolbox plugin for WordPress. This issue, present in all versions up to 1.0.14 for certain shortcodes, and up to 1.0.15 for the themedy_button shortcode, allows authenticated attackers with contributor-level access or above to inject malicious scripts. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes. Successful exploitation results in the execution of arbitrary web scripts whenever an injected page is accessed.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.