Unrated severityNVD Advisory· Published Jan 7, 2025· Updated Jan 7, 2025

WordPress Auction <= 3.7 - Editor+ Stored XSS

CVE-2024-8857

Description

The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Stored Cross-Site Scripting attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Blogintroduction Wordpress Plugincpe-rescue2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=3.7
Package: https://wordpress.org/plugins/blogintroduction-wordpress-plugin

Patches

Vulnerability mechanics

Root cause

"Missing sanitization and escaping of plugin settings allows stored cross-site scripting."

Attack vector

An attacker with editor-level privileges (high privilege user) can inject malicious JavaScript into plugin settings that are not sanitized or escaped [ref_id=1]. When an administrator or other user views the affected settings page, the stored script executes in their browser. This is a Stored Cross-Site Scripting (XSS) attack [CWE-79] [ref_id=1]. The attack requires authenticated access with at least editor capabilities.

Affected code

The WordPress Auction Plugin (wp-auctions) through version 3.7 does not sanitize and escape some of its settings [ref_id=1]. The advisory does not specify the exact file or function names where the missing sanitization occurs.

What the fix does

No fix has been published for this vulnerability [ref_id=1]. The advisory notes "No known fix" [ref_id=1]. To remediate, the plugin should sanitize and escape all settings output to prevent stored XSS, particularly for inputs that high-privilege users like editors can modify.

Preconditions

authAttacker must have an authenticated account with at least Editor-level privileges on the WordPress site
configThe vulnerable plugin (wp-auctions) version 3.7 or earlier must be installed and active
networkThe attacker must be able to access the plugin settings page where the unsanitized input is stored

Reproduction

Log in as an Editor-level user. Navigate to the WordPress Auction Plugin settings page. In one of the settings fields that lacks sanitization, enter a malicious payload such as `

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

wpscan.com/vulnerability/08ca6daa-09f4-4604-ac9e-15a1b33d599d/mitreexploitvdb-entrytechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000