CVE-2024-7918 in Pocket Widget Plugin
Summary
by MITRE • 09/09/2024
The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/11/2025
The vulnerability identified as CVE-2024-7918 affects the Pocket Widget WordPress plugin version 0.1.3 and earlier, representing a critical stored cross-site scripting flaw that undermines the security of WordPress installations. This vulnerability specifically targets the plugin's handling of user settings, where insufficient sanitization and escaping of input data creates persistent XSS attack vectors. The flaw is particularly concerning because it can be exploited by users with administrative privileges, even in environments where the unfiltered_html capability has been restricted, such as in multisite configurations where such restrictions are commonly enforced to maintain security boundaries.
The technical nature of this vulnerability stems from the plugin's failure to properly validate and sanitize user-provided input within its settings management system. When administrators configure the Pocket Widget plugin, they may inadvertently introduce malicious scripts into fields that are not adequately sanitized before being stored in the database. These stored scripts are then executed whenever the affected pages are loaded, allowing attackers to inject malicious code that can persist across user sessions and potentially compromise the entire WordPress installation. The vulnerability operates under CWE-79 which specifically addresses Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious content.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform privilege escalation, steal session cookies, redirect users to malicious sites, or even execute arbitrary commands on the affected server if combined with other exploitation techniques. In multisite environments where administrative capabilities are more strictly controlled, this vulnerability becomes even more dangerous as it can be leveraged to gain unauthorized access to sensitive administrative functions. The persistence of stored XSS attacks means that the malicious code remains active until manually removed from the plugin settings, potentially allowing attackers to maintain long-term access to compromised systems.
Organizations should immediately update to the latest version of the Pocket Widget plugin to remediate this vulnerability, as no effective workarounds exist without modifying the plugin's core functionality. Security administrators should also implement monitoring for suspicious plugin settings changes and conduct thorough security audits of all installed plugins to identify similar sanitization issues. The vulnerability demonstrates the critical importance of input validation and output escaping in web applications, particularly in content management systems where administrative users have elevated privileges and can introduce persistent security threats through seemingly benign configuration changes.