CVE-2024-2031 — Cross-site Scripting in Video Conferencing With Zoom

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

CNA6.4

EPSS

0.1%

top 75.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imdpen Video Conferencing With Zoom J 3RK Video Conferencing With Zoom

Timeline

PublishedMar 12

Description

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDimdpen/video_conferencing_with_zoom< 4.4.5

▶CVEListV5j_3rk/video_conferencing_with_zoom4.4.4

🔴Vulnerability Details

CVEList

Video Conferencing with Zoom <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode↗2024-03-12

▶

GHSA

GHSA-343p-q3gf-xrfx: The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' short↗2024-03-12

▶