CVE-2024-3030 in Announce from the Dashboard Plugin
Summary
by MITRE • 04/04/2024
The Announce from the Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-3030 affects the Announce from the Dashboard plugin for WordPress, representing a critical stored cross-site scripting weakness that compromises web application security. This flaw exists in all versions up to and including 1.5.2, making it a persistent threat across multiple plugin iterations. The vulnerability specifically targets the plugin's handling of admin settings where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied data before storing and rendering it within the application's interface. The security implications are particularly severe because the vulnerability requires only authenticated access with administrator-level permissions or higher, making it exploitable by insiders or compromised administrators who have already gained elevated privileges within the WordPress environment.
The technical exploitation of this vulnerability occurs through a stored XSS vector where malicious scripts are injected into the plugin's administrative settings and subsequently stored within the WordPress database. When other users access pages that contain the injected content, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or further compromise of the affected WordPress installation. This vulnerability is particularly dangerous in multi-site WordPress installations where the impact can extend across multiple subsites within a single network, amplifying the potential damage. The condition that restricts this vulnerability to installations where unfiltered_html has been disabled creates a specific attack surface that security administrators must carefully monitor, as it indicates the vulnerability is most prevalent in environments with stricter content filtering policies.
The operational impact of CVE-2024-3030 extends beyond simple script execution to encompass potential full system compromise when combined with other attack vectors. Attackers can leverage this vulnerability to establish persistent access within the WordPress environment, manipulate administrative interfaces, or redirect users to malicious domains. The vulnerability aligns with CWE-79 which classifies cross-site scripting flaws as weaknesses in input validation and output encoding, and it maps to ATT&CK technique T1059.007 for command and scripting interpreter usage. Organizations using this plugin in multi-site configurations face heightened risk, as a single compromised administrator account can potentially affect multiple sites within the network. The vulnerability's persistence stems from the stored nature of the XSS payload, meaning that once injected, malicious scripts remain active until manually removed from the database, creating ongoing security exposure.
Mitigation strategies for CVE-2024-3030 require immediate action including upgrading to the latest plugin version where the vulnerability has been patched, implementing additional security monitoring for suspicious administrative activities, and conducting thorough security audits of plugin configurations. System administrators should also consider implementing web application firewalls to detect and block potential XSS payloads, while ensuring that proper input validation and output escaping mechanisms are enforced throughout the WordPress environment. The vulnerability highlights the critical importance of maintaining up-to-date plugins and themes, as well as implementing proper access controls and monitoring for administrative activities. Organizations should also consider implementing security awareness training for administrators to prevent social engineering attacks that might lead to privilege escalation, and establish regular vulnerability scanning procedures to identify similar weaknesses in other plugins or components within their WordPress installations.