CVE-2024-49266
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thimo Grauerholz WP-Spreadplugin wp-spreadplugin allows Cross-Site Scripting (XSS).This issue affects WP-Spreadplugin: from n/a through <= 4.8.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WP-Spreadplugin WordPress plugin (≤4.8.9) is vulnerable to stored Cross-Site Scripting (XSS) via improper input neutralization, with no patch available.
Vulnerability
The WP-Spreadplugin (slug: wp-spreadplugin) is a WordPress plugin that was closed and removed from the official WordPress plugin directory on 2024-09-23 due to a security issue [1]. The vulnerability is a Stored Cross-Site Scripting (XSS) caused by improper neutralization of input during web page generation. All versions from n/a through 4.8.9 are affected. The plugin is no longer available for download from the WordPress.org directory [1].
Exploitation
An attacker with the ability to submit or inject content into the plugin (such as a contributor-level user or via crafted input fields) can inject malicious JavaScript code. The injected script will be stored and later executed in the browsers of other users (including administrators) who view the compromised page. No special network position beyond normal web access is required for an authenticated attacker.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The attacker does not necessarily gain direct access to server-side data but can perform actions with the victim's privileges within the WordPress admin area, potentially escalating to full site compromise.
Mitigation
No patched version exists or is distributed, as the plugin has been permanently closed and removed from the WordPress plugin directory [1]. Users who have the plugin installed should uninstall it immediately and replace its functionality with an alternative plugin. There is no official fix or workaround provided by the vendor. The plugin is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.8.9
- Range: <=4.8.9
Patches
0wp-spreadpluginThis plugin has been removed from the WordPress.org directory on 2024-09-23 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.