CVE-2024-7355: Organization chart <= 1.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description Parameters
The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure charts can be extended to subscribers.
Affected Software
Remediation
Patch Available
Event History
Frequently Asked Questions
What is the severity of CVE-2024-7355?
CVE-2024-7355 is classified as a medium severity stored cross-site scripting vulnerability.
How do I fix CVE-2024-7355?
To fix CVE-2024-7355, update the WordPress Organization Chart plugin to version 1.5.1 or later.
What are the affected versions of CVE-2024-7355?
CVE-2024-7355 affects all versions of the WordPress Organization Chart plugin up to and including 1.5.0.
What is stored cross-site scripting in CVE-2024-7355?
Stored cross-site scripting in CVE-2024-7355 allows attackers to inject malicious scripts that can be executed in the context of users accessing the affected site.
Who is vulnerable to CVE-2024-7355?
Any WordPress site using the Organization Chart plugin version 1.5.0 or earlier is vulnerable to CVE-2024-7355.