CVE-2024-13735

Name of the Vulnerable Software and Affected Versions HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin versions up to, and including, 2.11.2

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping of a campaign name. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page.

Recommendations For versions up to, and including, 2.11.2, update to a version that addresses the insufficient input sanitization and output escaping of the campaign name. As a temporary workaround, consider restricting access to the campaign name input field to prevent authenticated attackers from injecting arbitrary web scripts. Restrict Contributor-level access and above to minimize the risk of exploitation.