CVE-2024-11605

MEDIUM

wp-publications < 1.2 - Authenticated Stored Cross-Site Scripting via Filename Output

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11605. PoCs published by Zeynalxan Quliyev.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in the WP Publications WordPress plugin (versions <= 1.2) by creating a malicious BibTeX file with an embedded JavaScript payload. The payload executes when accessed via the plugin's BibTeX browser, bypassing WordPress's `unfiltered_html` protection.

Description

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Exploits (1)

exploitdb WORKING POC
by Zeynalxan Quliyev · textwebappsmultiple
https://www.exploit-db.com/exploits/52368

This exploit demonstrates a stored XSS vulnerability in the WP Publications WordPress plugin (versions <= 1.2) by creating a malicious BibTeX file with an embedded JavaScript payload. The payload executes when accessed via the plugin's BibTeX browser, bypassing WordPress's `unfiltered_html` protection.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WP Publications WordPress Plugin <= 1.2
Auth required
Prerequisites: High-privileged user access (e.g., admin) · Ability to upload files to the plugin directory
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/91c5ee70-2ff5-46cd-a0f5-54987fc2e060/

Scores

CVSS v3 4.8
EPSS 0.0274
EPSS Percentile 86.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
wp-publications_project/wp-publications < 1.2
Published Dec 27, 2024
Tracked Since Feb 18, 2026