CVE-2024-1401 in Profile Box Shortcode and Widget Plugin
Summary
by MITRE • 03/19/2024
The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/16/2025
The vulnerability identified as CVE-2024-1401 affects the Profile Box Shortcode And Widget WordPress plugin version 1.2.0 and earlier, presenting a critical security risk through stored cross-site scripting exploits. This issue arises from inadequate input sanitization and output escaping mechanisms within the plugin's code implementation, specifically targeting the handling of user-provided settings data. The vulnerability is particularly concerning because it enables high-privilege users such as administrators to inject malicious scripts that persist within the plugin's settings, making the attack vector particularly dangerous in multi-site environments where security controls may be more restrictive.
The technical flaw stems from the plugin's failure to properly sanitize user inputs before storing them in the database and subsequently outputting them without adequate escaping mechanisms. This creates a classic stored XSS vulnerability where malicious scripts can be injected into the plugin's configuration settings and then executed whenever the affected page is loaded. The vulnerability is especially dangerous because it operates even when the unfiltered_html capability is restricted, which is a common security measure in WordPress multisite installations to prevent unauthorized HTML injection. This restriction typically prevents users without elevated privileges from injecting raw HTML, but the flaw allows administrators to bypass these protections through the plugin's insufficient sanitization routines.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, data exfiltration, and privilege escalation within the WordPress environment. In a multisite setup, the implications are even more severe since the vulnerability can potentially compromise multiple sites within the network through a single compromised plugin instance. The stored nature of the XSS means that the malicious code persists until manually removed, allowing attackers to maintain persistent access and execute long-term attacks against users who visit pages containing the vulnerable shortcode or widget.
Security professionals should consider this vulnerability in the context of the CWE-79 weakness category, which specifically addresses cross-site scripting vulnerabilities, and the ATT&CK framework's T1548.003 technique for privilege escalation through web shell deployment. The vulnerability also aligns with the OWASP Top Ten category A03:2021 - Injection, as it represents an injection flaw in the plugin's data handling processes. Organizations should immediately update to version 1.2.1 or later of the Profile Box Shortcode And Widget plugin to remediate this issue, while also conducting thorough security audits of other third-party plugins to identify similar sanitization gaps. Additionally, administrators should review and tighten security policies around plugin installations and updates, particularly in multisite environments where the attack surface is expanded through shared infrastructure and user management systems.