CVE-2024-5440 — Cross-site Scripting in Dynamic Content Personalization

CWE-79 — Cross-site Scripting CWE-908 — Use of Uninitialized Resource4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 65.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

If-so Dynamic Content Personalization

Timeline

PublishedMay 15

Description

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDif-so/dynamic_content_personalization< 1.8.0.3

🔴Vulnerability Details

CVEList

If-So Dynamic Content Personalization < 1.8.0.3 - Contributor+ Shortcode Stored XSS↗2025-05-15

▶

GHSA

GHSA-559f-7rvx-wm9p: The If-So Dynamic Content Personalization WordPress plugin before 1↗2025-05-15

▶

📋Vendor Advisories

Red Hat

kernel: netfilter: flowtable: validate vlan header↗2024-09-04

▶