CVE-2024-3368
All in One SEO < 4.6.1.1 - Contributor+ Stored XSSThe All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
We have discovered 473,705 live websites that are affected by CVE-2024-3368.
Affected Software
| Product |  All in One SEO Pack |
| Category | Search Engine Optimization |
| Vulnerable Domains | 473,705 live websites (43.76% of All in One SEO Pack install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 335 versions ( 90.30% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - May 20, 2024
- Updated - Mar 14, 2025
Credits
- Dmtirii Ignatyev (finder)
- WPScan (coordinator)
CWE
CVE References
CWE References
CVE-2024-3368 usage by Country
 United States | 114,873 websites |
 Japan | 139,406 websites |
 Germany | 32,959 websites |
 Russia | 29,413 websites |
 France | 18,924 websites |
 Poland | 11,404 websites |
 GB | 11,193 websites |
 Turkey | 6,495 websites |
 Cyprus | 6,486 websites |
CVE-2024-3368 usage by TLD
| .com | 217,203 websites |
| .jp | 28,878 websites |
| .ru | 27,212 websites |
| .net | 21,221 websites |
| .co.jp | 17,277 websites |
| .org | 15,442 websites |
| .de | 13,722 websites |
| .pl | 9,228 websites |
| .co.uk | 8,401 websites |
| .info | 5,930 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3368
Top websites that are affected by CVE-2024-3368. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.net |  Singapore | *** | |
| *********.com |  Italy | *,*** | |
| ******.at | Germany | *,*** | |
| ****.com | United States | *,*** | |
| *****.com | United States | *,*** | |
| ***********.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| *******.io | Russia | *,*** | |
| *************.org | United States | *,*** |
FAQ
CVE-2024-3368 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in All in One SEO Pack
A total of 473,705 websites have been identified as vulnerable to CVE-2024-3368, discovered through global website indexing conducted by WebTechSurvey.
All in One SEO Pack is susceptible to CVE-2024-3368 vulnerability.
All in One SEO Pack versions before 4.6.1.1 are vulnerable to CVE-2024-3368.
Version 4.6.1.1 of All in One SEO Pack addresses the CVE-2024-3368 security vulnerability.