CVE-2024-54317
Description
Stored XSS in Google Web Stories plugin for WordPress ≤1.37.0 allows authenticated attackers with contributor access to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Google Web Stories plugin for WordPress ≤1.37.0 allows authenticated attackers with contributor access to inject arbitrary scripts.
Vulnerability
The Web Stories plugin for WordPress versions from n/a through 1.37.0 does not properly sanitize user input when creating stories, leading to a stored cross-site scripting (XSS) vulnerability [1]. An attacker with contributor-level access or higher can inject malicious scripts into story content.
Exploitation
An attacker must have at least contributor-level access to the WordPress site. The attacker can create or edit a story and inject malicious JavaScript into fields that are not properly sanitized. When other users view the story, the script executes in their browser.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, affecting all users who view the compromised story.
Mitigation
Update the Web Stories plugin to version 1.38.0 or later, which contains the fix for this vulnerability. As of [1], the latest version is 1.42.0. If updating is not possible, restrict contributor and author roles to trusted users.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.37.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.