CVE-2024-10939: Image Widget < 4.4.11 - Admin+ Stored XSS
First published: Fri Dec 13 2024(Updated: )
The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| StellarWP Image Widget | <4.4.11 | |
| StellarWP Image Widget | <4.4.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-10939?
CVE-2024-10939 is considered a high severity vulnerability due to the potential for Stored Cross-Site Scripting attacks.
How do I fix CVE-2024-10939?
To fix CVE-2024-10939, update the Image Widget plugin to version 4.4.11 or later.
Who is affected by CVE-2024-10939?
CVE-2024-10939 affects WordPress users who have the Image Widget plugin installed prior to version 4.4.11.
What type of vulnerability is CVE-2024-10939?
CVE-2024-10939 is a Stored Cross-Site Scripting vulnerability.
Can only admins exploit CVE-2024-10939?
Yes, CVE-2024-10939 allows high privilege users, such as admins, to exploit the vulnerability.
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- vendor/wordpress
- canonical/stellarwp image widget
- vendor/stellarwp