CVE-2024-0703Cross-site Scripting in Sticky Buttons Floating Buttons Builder

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
CNA4.4
EPSS
0.2%
top 58.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Wpcalc Sticky Buttons Floating Buttons BuilderWow-company Sticky Buttons
Timeline
PublishedJan 23
Latest updateApr 11

Description

The Sticky Buttons – floating buttons builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via sticky URLs in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_htm

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

Patches

Patch: plugins.trac.wordpress.orgPatch: www.wordfence.comPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

3
VulDB
Sticky Buttons Plugin up to 3.2.2 on WordPress cross site scripting2026-04-11
GHSA
GHSA-xm3m-3r5x-p3p6: The Sticky Buttons – floating buttons builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via sticky URLs in all versions up to,2024-01-23
CVEList
Sticky Buttons <= 3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting2024-01-23
CVE-2024-0703 — Cross-site Scripting | cvebase