CVE-2024-10309

MEDIUM

Tracking Code Manager < 2.4.0 - Authenticated Stored Cross-Site Scripting in Metabox Settings

Title source: llm
STIX 2.1

Description

The Tracking Code Manager WordPress plugin before 2.4.0 does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/9eb21250-34bd-4600-a0a5-7c5117f69f04/

Scores

CVSS v3 5.9
EPSS 0.0025
EPSS Percentile 16.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
data443/tracking_code_manager < 2.4.0
Published Jan 30, 2025
Tracked Since Feb 18, 2026