CVE-2024-7355

Name of the Vulnerable Software and Affected Versions Organization chart plugin for WordPress versions up to, and including, 1.5.0

Description The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages via the title input and node description parameters. This enables the execution of injected scripts whenever a user accesses an injected page. By default, exploitation is limited to administrators, but subscribers can also exploit this if they have been granted the ability to use and configure charts.

Recommendations For versions up to, and including, 1.5.0, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent exploitation. As a temporary workaround, consider restricting access to the title input and node description parameters to minimize the risk of arbitrary web script injection. Additionally, limiting the ability to use and configure charts to administrators only can help reduce the attack surface until a fix is applied.