CVE-2024-0658

Name of the Vulnerable Software and Affected Versions Insert PHP Code Snippet plugin for WordPress versions up to, and including, 1.3.4

Description The issue allows for Stored Cross-Site Scripting via the user's name when accessing the "insert-php-code-snippet-manage" page due to insufficient input sanitization and output escaping. This enables authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For Insert PHP Code Snippet plugin for WordPress versions up to, and including, 1.3.4, update to a version later than 1.3.4 to resolve the issue. As a temporary workaround, consider restricting access to the insert-php-code-snippet-manage page to minimize the risk of exploitation.