CVE-2024-11446
Description
The Chessgame Shizzle plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'cs_nonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected products
2- Range: <=1.3.0
- Range: <=1.3.0
Patches
1r3194845Vulnerability mechanics
Root cause
"Insufficient sanitization of the 'cs_nonce' parameter allows reflected cross-site scripting."
Attack vector
An unauthenticated attacker crafts a URL containing a malicious payload in the 'cs_nonce' parameter. If a victim clicks the link, the payload executes in their browser context because the plugin fails to sanitize this input before reflecting it in the page output [CWE-79]. The attack requires no authentication and can be delivered via email, social media, or any mechanism that tricks the user into clicking.
Affected code
The vulnerability exists in the handling of the 'cs_nonce' GET parameter. The patch [patch_id=1607756] modifies the file(s) in the chessgame-shizzle plugin to escape this parameter before output. The exact function names are not specified in the advisory, but the issue affects all plugin files that reflect the cs_nonce value.
What the fix does
The patch [patch_id=1607756] adds proper escaping to the 'cs_nonce' parameter output, preventing injected scripts from being interpreted as HTML/JavaScript. By applying WordPress's built-in escaping functions, user-supplied input is neutralized before being rendered in the page, closing the XSS vector.
Preconditions
- inputAttacker must craft a URL with a malicious payload in the 'cs_nonce' parameter.
- networkAttacker must deliver the crafted link to the victim (e.g., via email, social media, or other channels).
- authNo authentication required; the attack is unauthenticated.
Generated on May 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- plugins.trac.wordpress.org/browser/chessgame-shizzle/tags/1.3.0/thirdparty/pgn4web/cs-preview-iframe.phpnvd
- plugins.trac.wordpress.org/changeset/3194845/chessgame-shizzle/trunk/thirdparty/pgn4web/cs-preview-iframe.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/3d667f97-5072-4119-84d8-7104fd63559cnvd
News mentions
0No linked articles in our index yet.