CVE-2024-3368
All in One SEO < 4.6.1.1 - Contributor+ Stored XSSThe All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
We have discovered 293,276 live websites that are affected by CVE-2024-3368.
Affected Software
| Product |  All in One SEO Pack |
| Category | Search Engine Optimization |
| Vulnerable Domains | 293,276 live websites (33% of All in One SEO Pack install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 247 versions ( 82% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - May 20, 2024
- Updated - Mar 14, 2025
Credits
- Dmtirii Ignatyev (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-3368 United States | 57,788 websites |
 Japan | 88,512 websites |
 Russia | 22,189 websites |
 Germany | 17,546 websites |
 France | 10,477 websites |
 GB | 7,587 websites |
 Italy | 7,531 websites |
 Poland | 7,412 websites |
 Canada | 4,447 websites |
Website Distribution by TLD
Number of websites using CVE-2024-3368| .com | 126,289 websites |
| .ru | 21,195 websites |
| .jp | 19,219 websites |
| .net | 13,017 websites |
| .co.jp | 12,413 websites |
| .org | 9,395 websites |
| .de | 8,857 websites |
| .pl | 5,728 websites |
| .it | 5,202 websites |
| .co.uk | 5,098 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3368
Top websites that are affected by CVE-2024-3368. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.net | Canada | *** | |
| *********.com | Italy | *,*** | |
| ******.at | Germany | *,*** | |
| ****.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| *******.io | Russia | *,*** | |
| ***************.com |  Croatia | *,*** | |
| ******************.com | United States | *,*** |
FAQ
CVE-2024-3368 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in All in One SEO Pack
A total of 293,276 websites have been identified as vulnerable to CVE-2024-3368, based on global website indexing conducted by WebTechSurvey.
The All in One SEO Pack is affected by the CVE-2024-3368 vulnerability.
All in One SEO Pack versions up to 4.6.1.1 are vulnerable to CVE-2024-3368.
CVE-2024-3368 is resolved in version 4.6.1.1 of All in One SEO Pack.