VYPR
← All advisories
Medium severity6.4NVD Advisory· Published May 2, 2024· Updated Apr 15, 2026

CVE-2024-1993

CVE-2024-1993

Description

The Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in WordPress Icon Widget plugin (≤1.3.0) allows contributor-level attackers to inject arbitrary scripts via shortcode attributes.

Vulnerability

The Icon Widget plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability in its shortcode handling in all versions up to and including 1.3.0. User-supplied shortcode attributes are not properly sanitized or escaped before output, allowing injection of arbitrary web scripts [1].

Exploitation

An attacker must have at least contributor-level permissions on the WordPress site. They can inject malicious JavaScript code via shortcode attributes on a page or post. When any other user views that page, the injected script executes in their browser.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary scripts in the victim's browser context. This can result in session hijacking, website defacement, or theft of sensitive information (e.g., cookies, tokens).

Mitigation

The vendor released a fix in version 1.3.1. Users should update the plugin to the latest version immediately. No workarounds are available via the plugin settings.

References
  1. https://plugins.trac.wordpress.org/browser/icon-widget/trunk/src/Shortcode.php

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
r3068501
https://plugins.svn.wordpress.orgvia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.