CVE-2024-11229

The 코드엠샵 소셜톡 plugin for WordPress (versions up to 1.1.18) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping on user-supplied attributes in the add_plus_friends and add_plus_talk shortcodes [1]. This flaw enables authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages.

To exploit the vulnerability, an attacker must have at least a contributor role in a WordPress site where the plugin is active. By crafting a malicious shortcode attribute (e.g., via the WordPress editor or a custom request), the attacker can inject JavaScript that is stored in the page content. When any user—including administrators or visitors—accesses the affected page, the injected script executes in their browser context [1].

Successful exploitation allows the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing pages, or performing other client-side attacks. The impact is limited to the browser of users who view the compromised page, but it can lead to privilege escalation if an administrator's session is hijacked [1].

As of the publication date, no patched version of the plugin has been released. Users are advised to restrict contributor-level access, disable the vulnerable shortcodes, or remove the plugin until a fix is available [1].