Unknown
CVE-2024-5020
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-5020
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin’s bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
General Information
Vendors
Products
- Colibri Page Builder
- Gallery Plugin for WordPress – Envira Photo Gallery
- Photo Gallery Sliders Proofing and Themes – NextGEN Gallery
- Accordion Slider
- Form Maker by 10Web – Mobile Friendly Drag & Drop Contact Form Builder
- Getwid – Gutenberg Blocks
- Firelight Lightbox
- Responsive Lightbox & Gallery
- Carousel Slider Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery Video Slider Post Carousel & Post Grid Product Carousel & Product Grid
- FancyBox for WordPress
- Visual Portfolio Photo Gallery & Post Grid
- WPC Smart Quick View for WooCommerce
- Easy Social Feed Premium
- FV Flowplayer Video Player
References
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Zero-day Exploit
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
