CVE-2024-13901

Name of the Vulnerable Software and Affected Versions The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress versions up to, and including, 2.0.6

Description The issue is related to DOM-Based Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the content parameter. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled.

Recommendations For versions up to, and including, 2.0.6, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent DOM-Based Stored Cross-Site Scripting attacks.