CVE-2024-0664 in Meks Smart Social Widget Plugin
Summary
by MITRE • 01/27/2024
The Meks Smart Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meks Smart Social Widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2024-0664 affects the Meks Smart Social Widget plugin for WordPress, representing a critical stored cross-site scripting flaw that poses significant security risks to affected installations. This vulnerability exists in all versions up to and including 1.6.3, making it a persistent threat that has likely been exploited in the wild. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase, creating an attack vector that allows malicious actors to inject persistent malicious scripts into the WordPress environment. The vulnerability specifically targets the Meks Smart Social Widget functionality, which is designed to display social media widgets on WordPress sites, but becomes a conduit for malicious code execution when proper security measures are not implemented.
The technical exploitation of this vulnerability requires an authenticated attacker with administrator-level privileges, which significantly reduces the attack surface but does not eliminate the danger. Once an attacker gains administrative access, they can leverage this weakness to inject arbitrary web scripts that will execute whenever any user accesses pages containing the injected content. This stored XSS vulnerability operates by persisting malicious payloads within the plugin's data storage mechanisms, ensuring that the injected scripts remain active until manually removed or until the vulnerability is patched. The attack is particularly concerning because it can affect any user who visits pages containing the malicious content, potentially leading to widespread compromise of user sessions, data theft, or redirection to malicious sites. The vulnerability's impact is further amplified in multi-site WordPress installations where the malicious code can propagate across multiple sites within the network, and in installations where unfiltered_html has been disabled, which typically represents environments with heightened security expectations.
The operational impact of CVE-2024-0664 extends beyond simple script execution, as it can enable attackers to perform sophisticated attacks such as session hijacking, credential theft, and data exfiltration from compromised WordPress installations. The stored nature of the vulnerability means that the malicious scripts remain persistent even after the initial injection, allowing attackers to maintain long-term access to affected systems. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and represents a classic example of how insufficient input validation and output escaping can create dangerous security holes. From an ATT&CK framework perspective, this vulnerability enables several tactics including privilege escalation through administrative access, initial access via compromised credentials, and command and control activities through the execution of malicious scripts. The vulnerability also intersects with ATT&CK technique T1566, which covers social engineering and credential harvesting, as the malicious scripts could be designed to capture user credentials or personal information. Organizations running affected WordPress installations face potential data breaches, reputational damage, and compliance violations, particularly in regulated environments where user data protection is mandatory. The vulnerability's impact is exacerbated by the fact that it only requires administrative access to exploit, which suggests that existing security controls may be insufficient to prevent privilege escalation attacks or that administrative accounts may be compromised through other vectors. This makes the vulnerability particularly dangerous in environments where administrators have broad access rights or where privilege separation is not properly implemented.