CVE-2024-1219
published 2024-04-17CVE-2024-1219: The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which…
PriorityP420medium5.3CVSS 3.1
AVLACLPRNUIRSUCLILAL
EPSS
0.30%
22.0th percentile
The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| easysocialfeed | easy_social_feed | < 6.5.6 | 6.5.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
osv9.2CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php7.4, php8.1, php8.3 vulnerabilities
osv·2025-03-31·CVSS 9.2
CVE-2024-11235 php7.4, php8.1, php8.3 vulnerabilities
php7.4, php8.1, php8.3 vulnerabilities
It was discovered that PHP incorrectly handle certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code. (CVE-2024-11235)
It was discovered that PHP incorrectly handle certain folded headers.
An attacker could possibly use this issue to cause a crash or
execute arbritrary code. (CVE-2025-1217)
It was discovered that PHP incorrectly handled certain headers.
An attacker could possibly use this issue to expose sensitive information
or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS
Ubuntu 24.10, and Ubuntu 24.04 LTS. (CVE-2025-1219)
It was discovered that PHP incorrectly handle certain headers with invalid
name and no colon. An attacker could possibly use this issue to confuse
applications
GHSA
GHSA-22qj-8xm8-83m5: The Easy Social Feed WordPress plugin before 6
ghsa_unreviewed·2024-04-17
CVE-2024-1219 [MEDIUM] CWE-79 GHSA-22qj-8xm8-83m5: The Easy Social Feed WordPress plugin before 6
The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-17
Published