CVE-2024-7963

The CMSMasters Content Composer plugin for WordPress, versions up to and including 1.8.8, contains a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within multiple shortcodes provided by the plugin [1].

An attacker with at least contributor-level access can inject arbitrary web scripts into pages or posts via the vulnerable shortcode attributes. The attack does not require admin privileges, lowering the barrier for content manipulation, and the injected script executes whenever a victim accesses the affected page [1].

Successful exploitation allows an attacker to execute JavaScript in the browser of any user viewing the compromised page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites [1].

As of the publication date, users should update the plugin to version 1.8.9 or later if available, or apply a virtual patch via a web application firewall. No workaround short of disabling the plugin is provided [1].