CVE-2024-1499
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in the $settings['title_tags'] parameter in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 16,763 live websites that are affected by CVE-2024-1499.
Affected Software
| Product |  OrbitFox |
| Category | Wordpress Plugins |
| Vulnerable Domains | 16,763 live websites (77.35% of OrbitFox install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 129 versions ( 82.17% of all versions) |
Details
- Published - Mar 13, 2024
- Updated - Aug 1, 2024
Credits
- Maxuel (finder)
CVE References
CVE-2024-1499 usage by Country
 United States | 4,214 websites |
 Germany | 2,047 websites |
 France | 1,707 websites |
 Poland | 860 websites |
 Netherlands | 628 websites |
 GB | 549 websites |
 Japan | 520 websites |
 Spain | 466 websites |
 Italy | 453 websites |
 Russia | 435 websites |
CVE-2024-1499 usage by TLD
| .com | 5,946 websites |
| .de | 975 websites |
| .org | 854 websites |
| .fr | 732 websites |
| .pl | 724 websites |
| .nl | 637 websites |
| .co.uk | 411 websites |
| .it | 379 websites |
| .net | 360 websites |
| .ru | 346 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-1499
Top websites that are affected by CVE-2024-1499. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.com |  Korea, South | **,*** | |
| *******.com | Germany | **,*** | |
| ***************.org | United States | ***,*** | |
| *****************.com | United States | ***,*** | |
| *******.com |  Cyprus | ***,*** | |
| *********.com |  Canada | ***,*** | |
| **********************.org | United States | ***,*** | |
| ***********.fr | France | ***,*** | |
| ***********.com |  Argentina | ***,*** | |
| *********.cz |  Czech Republic | ***,*** |
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/df40eb21-2080-4de5-9055-09246a8a275e?source=cve
- https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/2.10.30/vendor/codeinwp/elementor-extra-widgets/widgets/elementor/pricing-table.php#L1037
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3038451%40themeisle-companion%2Ftrunk&old=3030173%40themeisle-companion%2Ftrunk&sfp_email=&sfph_mail=#file10