CVE-2024-5901
SiteOrigin Widgets Bundle <= 1.62.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Image Grid widgetThe SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget in all versions up to, and including, 1.62.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 40,622 live websites that are affected by CVE-2024-5901.
Affected Software
| Product |  So Widgets Bundle |
| Category | Wordpress Plugins |
| Vulnerable Domains | 40,622 live websites (47.19% of So Widgets Bundle install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 196 versions ( 85.96% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Jul 30, 2024
- Updated - Aug 1, 2024
Credits
- Ngô Thiên An (finder)
CWE
CVE References
CWE References
CVE-2024-5901 usage by Country
 United States | 9,287 websites |
 Germany | 5,696 websites |
 France | 2,975 websites |
 Japan | 2,069 websites |
 GB | 1,968 websites |
 Netherlands | 1,757 websites |
 Poland | 1,618 websites |
 Russia | 1,472 websites |
 Italy | 1,147 websites |
 Spain | 981 websites |
CVE-2024-5901 usage by TLD
| .com | 14,354 websites |
| .de | 3,148 websites |
| .nl | 1,735 websites |
| .org | 1,688 websites |
| .co.uk | 1,463 websites |
| .pl | 1,286 websites |
| .ru | 1,195 websites |
| .fr | 1,160 websites |
| .it | 897 websites |
| .net | 852 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-5901
Top websites that are affected by CVE-2024-5901. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.*************.com | United States | *,*** | |
| ****.***.tr |  Turkey | **,*** | |
| *************.com | United States | **,*** | |
| *****************.com | United States | **,*** | |
| ***********.com | United States | **,*** | |
| *****************.org | Germany | **,*** | |
| *********.org | United States | **,*** | |
| ******.org | United States | **,*** | |
| *********.com |  Indonesia | **,*** | |
| ****.**.th |  Thailand | **,*** |
FAQ
CVE-2024-5901 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in So Widgets Bundle
A total of 40,622 websites have been identified as vulnerable to CVE-2024-5901, discovered through global website indexing conducted by WebTechSurvey.
So Widgets Bundle is susceptible to CVE-2024-5901 vulnerability.
So Widgets Bundle versions before, and including, 1.62.2 are vulnerable to CVE-2024-5901.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0045c5a4-0807-4e89-8639-0802e54ce6ab?source=cve
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.62.0/widgets/image-grid/tpl/default.php#L28
- https://plugins.trac.wordpress.org/browser/so-widgets-bundle/tags/1.62.0/widgets/image-grid/image-grid.php#L282