CVE-2024-11447
Description
The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and including, 7.0.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in PeepSo WordPress plugin via 'filter' parameter allows unauthenticated attackers to inject scripts by tricking users into clicking a link.
Vulnerability
Overview
The Community by PeepSo plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in all versions up to and including 7.0.3.0. The flaw resides in the 'filter' parameter, which lacks sufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages that execute if a user performs an action such as clicking a crafted link [1].
Exploitation and
Attack Surface
Exploitation requires no authentication; an attacker can craft a malicious URL containing the XSS payload in the 'filter' parameter. The attack is reflected, meaning the payload is executed in the context of the victim's browser when they visit the manipulated link. Successful exploitation depends on social engineering to trick a user into clicking the link, such as via phishing or embedding the link in a forum post.
Impact
If exploited, an attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS v3 base score of 6.1 (Medium) reflects the need for user interaction and the limited scope of impact typical of reflected XSS.
Mitigation
The vendor released version 7.0.4.0, which addresses this vulnerability along with other security fixes, including a script injection flaw in the search function [1]. Users are strongly advised to update to the latest version to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/peepso-core/tags/6.4.6.2/templates/activity/activity-stream-filters-simple.phpnvd
- plugins.trac.wordpress.org/browser/peepso-core/tags/6.4.6.2/templates/activity/activity-stream-filters.phpnvd
- plugins.trac.wordpress.org/browser/peepso-core/trunk/classes/template.phpnvd
- www.peepso.com/7.0.4.0/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/049a36b1-4e24-4ac9-a594-9cabdc0dfe0fnvd
News mentions
0No linked articles in our index yet.