CVE-2024-11753: UMich OIDC Login <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
First published: Wed Feb 19 2025(Updated: )
The UMich OIDC Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'umich_oidc_button' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| UMich OIDC Login | <=1.2.0 | |
| WordPress |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b372ad3a-0056-45fb-9a0e-7604f4fdf240?source=cve
- https://plugins.trac.wordpress.org/browser/umich-oidc-login/tags/1.2.0/includes/class-run.php#L248
- https://plugins.trac.wordpress.org/browser/umich-oidc-login/tags/1.2.0/includes/site/class-shortcodes.php#L248
- https://plugins.trac.wordpress.org/browser/umich-oidc-login/tags/1.2.0/includes/site/class-shortcodes.php#L158
Frequently Asked Questions
What is the severity of CVE-2024-11753?
CVE-2024-11753 has a medium severity due to its potential for exploitation via stored cross-site scripting.
How do I fix CVE-2024-11753?
To fix CVE-2024-11753, upgrade the UMich OIDC Login plugin to a version higher than 1.2.0.
What are the consequences of CVE-2024-11753?
CVE-2024-11753 can allow an attacker to execute malicious scripts in the context of users, leading to unauthorized access and data theft.
Which software versions are affected by CVE-2024-11753?
CVE-2024-11753 affects all versions of the UMich OIDC Login plugin for WordPress up to and including version 1.2.0.
Who is responsible for addressing CVE-2024-11753?
Website administrators using the UMich OIDC Login plugin for WordPress are responsible for updating the plugin to mitigate CVE-2024-11753.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/description
- agent/references
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- agent/tags
- agent/last-modified-date
- agent/event
- vendor/umich
- canonical/umich oidc login
- vendor/wordpress
- canonical/wordpress