CVE-2024-9177

Name of the Vulnerable Software and Affected Versions Themedy Toolbox plugin for WordPress versions up to 1.0.14 Themedy Toolbox plugin for WordPress version 1.0.15 for the themedy button shortcode

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcodes, including themedy col, themedy social link, themedy alertbox, and themedy pullleft. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For versions up to 1.0.14, consider disabling the themedy col, themedy social link, themedy alertbox, and themedy pullleft shortcodes until a patch is available. For version 1.0.15, restrict the use of the themedy button shortcode to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.