CVE-2024-8983

Published: Oct 8, 2024Modified: Jun 17, 2026

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Affected (1)

Products: Smashballoon: Custom Twitter Feeds

1 product

Custom Twitter Feeds

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Smashballoon Custom Twitter Feeds	Before 2.2.3

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

https://wpscan.com/vulnerability/29194dde-8d11-4096-a5ae-1d69c2c5dc33/

Source: contact@wpscan.com

ExploitThird Party Advisory

Timeline

No history available yet.