PT-2025-18043 · WordPress · Wp-Recall
Bob Matyas
·
Published
2025-04-28
·
Updated
2025-04-28
·
CVE-2024-9771
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WP-Recall WordPress plugin version 16.26.12 and earlier
Description
The WP-Recall WordPress plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed, for example in multisite setup.
Recommendations
For WP-Recall WordPress plugin version 16.26.12 and earlier, update to version 16.26.12 or later to resolve the issue. As a temporary workaround, consider restricting the
unfiltered html capability to minimize the risk of exploitation.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp-Recall