CVE-2024-9645

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-9645
The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://wpscan.com/vulnerability/cfd6db83-5e7f-4631-87c3-fdcd4c64c4fe/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:pickplugins:post_grid:*:*:*:*:*:wordpress:*:*
History

04 Jun 2025, 20:06

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/cfd6db83-5e7f-4631-87c3-fdcd4c64c4fe/ - () https://wpscan.com/vulnerability/cfd6db83-5e7f-4631-87c3-fdcd4c64c4fe/ - Exploit, Third Party Advisory
First Time Pickplugins
Pickplugins post Grid
CPE cpe:2.3:a:pickplugins:post_grid:*:*:*:*:*:wordpress:*:*
CWE CWE-79

16 May 2025, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4

16 May 2025, 14:42

Type Values Removed Values Added
Summary
  • (es) El complemento Post Grid, Posts Slider, Posts Carousel, Post Filter y Post Masonry de WordPress anterior a la versión 2.2.93 no valida ni escapa algunas de sus opciones de bloque antes de mostrarlas nuevamente en una página o publicación donde el bloque está incrustado, lo que podría permitir a los usuarios con rol de colaborador y superior realizar ataques de Cross-Site Scripting almacenado.

15 May 2025, 20:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-15 20:16

Updated : 2025-06-04 20:06

NVD link : CVE-2024-9645

Mitre link : CVE-2024-9645

CVE.ORG link : CVE-2024-9645

JSON object : View

Products Affected

pickplugins

  • post_grid
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')