CVE-2024-2458 in Powerkit Plugin
Summary
by MITRE • 04/06/2024
The Powerkit – Supercharge your WordPress Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-2458 affects the Powerkit plugin for WordPress, specifically targeting versions up to and including 2.9.1. This represents a critical security flaw that undermines the integrity of WordPress installations by enabling stored cross-site scripting attacks through the plugin's shortcode functionality. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes within the plugin's shortcode implementation.
The technical flaw manifests when authenticated attackers with contributor-level permissions or higher exploit the insufficient validation controls to inject malicious JavaScript code through shortcode attributes. These injected scripts become permanently stored within the WordPress database and execute whenever any user accesses pages containing the compromised shortcodes. The vulnerability operates at the application layer and specifically targets the plugin's handling of user input, creating a persistent threat vector that can affect multiple users depending on the scope of affected pages. This type of vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to compromised WordPress installations. Contributors and higher-level users possess sufficient privileges to modify content and inject malicious code, making this vector particularly dangerous in multi-user environments where multiple roles exist. The stored nature of the XSS attack means that the malicious code remains active until manually removed, potentially affecting all users who view the compromised pages. Attackers could leverage this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users with the privileges of the compromised accounts.
Mitigation strategies for CVE-2024-2458 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Administrators must implement strict role-based access controls to limit contributor-level permissions to only trusted users, as this vulnerability requires at least contributor privileges to exploit successfully. Regular security audits of installed plugins should include verification of input validation and output escaping practices, particularly for plugins that handle user-generated content or shortcode functionality. Network monitoring solutions should be configured to detect suspicious script injections, and web application firewalls can provide additional protection layers. Additionally, implementing content security policies and regular security scanning of WordPress installations helps identify and remediate similar vulnerabilities across the entire platform ecosystem.