CVE-2024-10057

Published October 18th, 2024

View on NVD ↗

CVSS v3

6.4

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rfw-youtube-videos shortcode in all versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

RSS Feed Widget

<ul> <li> <p>Author: <a href="https://www.androidbubbles.com/contact" rel="nofollow ugc">Fahad Mahmood</a></p> </li> <li> <p>Project URI: <a href="http://androidbubble.com/blog/wordpress/widgets/rss-feed-widget" rel="nofollow ugc">http://androidbubble.com/blog/wordpress/widgets/rss-feed-widget</a></p> </li> <li> <p>License: GPL 3. See License below for copyright jots and tittles.</p> </li> </ul> <p>RSS Feed Widget is a free WordPress plugin for rss feeds display. It is simple to use as after installation you see a menu item under settings. Easily to get started with this plugin, select image size for your feed and save changes. For more customization, you can install Chameleon and choose desired style. This plugin also provides to filter or mute words/text/sentences etc. To filter any word/text/sentence open filter tab and enter word/text/sentence as one per line.<br /> You can also choose various image sizes for your feed like thumbnail, medium, large or post thumbnail etc. It also provides the facility of creating shortcode based pages. The shortcode tab describes that how can you create shotcode based pages. The most important and special feature is Advanced Settings. Advanced settings tab allows you to reach custom tag in strange XML based feeds for images.</p> <p>Important!<br /> Visit my blog and suggest good features which you wana see in this plugin.</p> <h4>Tags</h4> <p>feed, facebook, youtube, shortcodes, slider, image, widget, page, techcrucnch, news, updates, aggragator, slideshow, feedly</p> <p>How to use shortcodes for content pages?<br /> <span class="embed-youtube" style="text-align:center; display: block;"><iframe loading="lazy" class="youtube-player" width="750" height="422" src="https://www.youtube.com/embed/QCLNXfPOsQo?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent" allowfullscreen="true" style="border:0;" sandbox="allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox"></iframe></span></p> <h3>License</h3> <p>This WordPress Plugin is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or any later version. This free software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this software. If not, see http://www.gnu.org/licenses/gpl-2.0.html.</p>

WordPress Plugin Directory

241K