Medium severity6.4NVD Advisory· Published Sep 26, 2024· Updated Jun 17, 2026
CVE-2024-9177
CVE-2024-9177
Description
The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all versions up to, and including, 1.0.14, and up to, and including 1.0.15 for the plugin's themedy_button shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.0.14, <=1.0.15
- mahodder/Themedy Toolboxv5Range: 0
Patches
Vulnerability mechanics
References
3- plugins.trac.wordpress.org/changeset/3157836/nvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/755e0998-0f0d-4259-881d-ed07aecb0b10nvdThird Party Advisory
- wordpress.org/plugins/themedy-toolbox/nvdRelease Notes
News mentions
0No linked articles in our index yet.