CVE-2024-2170
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className.' This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 18,406 live websites that are affected by CVE-2024-2170.
Affected Software
| Product |  Vk All In One Expansion Unit |
| Category | Wordpress Plugins |
| Vulnerable Domains | 18,406 live websites (44.17% of Vk All In One Expansion Unit install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 358 versions ( 92.75% of all versions) |
Details
- Published - Mar 26, 2024
- Updated - Aug 1, 2024
Credits
- Ngô Thiên An (finder)
- Son Tran (finder)
CVE References
CVE-2024-2170 usage by Country
 United States | 391 websites |
 Japan | 16,939 websites |
 France | 32 websites |
 Italy | 30 websites |
 Singapore | 11 websites |
 China | 11 websites |
 Germany | 9 websites |
 GB | 8 websites |
 Ukraine | 4 websites |
CVE-2024-2170 usage by TLD
| .com | 9,380 websites |
| .jp | 3,465 websites |
| .co.jp | 2,402 websites |
| .net | 1,348 websites |
| .org | 486 websites |
| .info | 309 websites |
| .it | 26 websites |
| .co | 16 websites |
| .de | 6 websites |
| .co.uk | 4 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-2170
Top websites that are affected by CVE-2024-2170. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.tokyo | Japan | **,*** | |
| *****.jp | Japan | **,*** | |
| **.***********.**.jp | Japan | ***,*** | |
| *******.jp | Japan | ***,*** | |
| ********.jp | Japan | ***,*** | |
| *****.***.si |  Slovenia | ***,*** | |
| **********.org | United States | ***,*** | |
| *******.jp | Japan | ***,*** | |
| ******.**.jp | Japan | ***,*** | |
| ********.**.jp | United States | ***,*** |
FAQ
A total of 18,406 websites have been identified as vulnerable to CVE-2024-2170, discovered through global website indexing conducted by WebTechSurvey.
Vk All In One Expansion Unit is susceptible to CVE-2024-2170 vulnerability.
Vk All In One Expansion Unit versions before, and including, 9.96.0.1 are vulnerable to CVE-2024-2170.