CVE-2024-0974

Social Media Widget < 4.0.9 - Admin+ Stored XSS

The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)


We have discovered 2 live websites that are affected by CVE-2024-0974.

Contact us to get more info




Affected Software

Product  Social Media Widget
Category Wordpress Plugins
Vulnerable Domains2 live websites (18.18% of Social Media Widget install base)
Vulnerable Versions
  • from 0 before 4.0.9
Vulnerable Versions Count2 versions ( 20.00% of all versions)


Common Weakness Enumeration

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - Jul 12, 2024
  • Updated - Aug 1, 2024

Credits

  • Dmitrii Ignatyev (finder)
  • WPScan (coordinator)

CVE-2024-0974 usage by Country

United States2 websites

CVE-2024-0974 usage by TLD

.com2 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2024-0974

Top websites that are affected by CVE-2024-0974. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.com United States**,***,***
***********.com United States**,***,***
See full domain list

FAQ

CVE-2024-0974 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Social Media Widget
A total of 2 websites have been identified as vulnerable to CVE-2024-0974, discovered through global website indexing conducted by WebTechSurvey.
Social Media Widget is susceptible to CVE-2024-0974 vulnerability.
Social Media Widget versions before 4.0.9 are vulnerable to CVE-2024-0974.
Version 4.0.9 of Social Media Widget addresses the CVE-2024-0974 security vulnerability.