CVE-2024-9177

Published
View on NVD ↗
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT

Description

The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all versions up to, and including, 1.0.14, and up to, and including 1.0.15 for the plugin's themedy_button shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Themedy Toolbox
Themedy ToolboxUNAVAILABLE
<p>Themedy Toolbox is a very powerful, yet easy to use shortcodes plugin. Shortcodes can be generated via the new Themedy button in your editor in the Visual tab of the WordPress editor.</p> <p>You can add buttons, columns, social icons and links, accordions, toggles, tabs, alert boxes, pull quotes, responsive Youtube and Vimeo videos, and maps to your site by simply filling out a few options and clicking the Insert Shortcode button.</p> <p>Please note that this plugin will work outside our <a href="https://themedy.com" rel="nofollow ugc">Themedy themes</a>, but we will not provide support for any issues with other themes.</p>
WordPress Plugin DirectoryWordPress Plugin Directory
22.7K