CVE-2024-2697 - Vulnerability Details - OpenCVE

The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00316.

Key SSVC decision points have not yet been added.

Vendors	Products
Swiftideas	Swift Framework

Configuration 1 [-]

cpe:2.3:a:swiftideas:swift_framework:*:*:*:*:*:wordpress:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/socialdriver-framework/swift-framework-202400-authenticated-contributor-stored-cross-site-scripting-via-shortcode

History

Mon, 30 Jun 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Swiftideas Swiftideas swift Framework
CPEs		cpe:2.3:a:swiftideas:swift_framework::::::wordpress::*
Vendors & Products		Swiftideas Swiftideas swift Framework

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/socialdriver-framework/swift-framework-202400-authenticated-contributor-stored-cross-site-scripting-via-shortcode

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-05-17T06:00:01.759Z

Updated: 2024-08-01T19:18:48.397Z

Reserved: 2024-03-19T20:54:36.107Z

Link: CVE-2024-2697

Vulnrichment

Updated: 2024-08-01T19:18:48.397Z

NVD

Status : Analyzed

Published: 2024-05-17T06:15:51.443

Modified: 2025-06-30T17:58:22.433

Link: CVE-2024-2697

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2697", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2024-03-19T20:54:36.107Z", "datePublished": "2024-05-17T06:00:01.759Z", "dateUpdated": "2024-08-01T19:18:48.397Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-05-17T06:00:01.759Z"}, "title": "Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "socialdriver-framework", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2024.0.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins."}], "references": [{"url": "https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Bob Matyas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/socialdriver-framework/swift-framework-202400-authenticated-contributor-stored-cross-site-scripting-via-shortcode"}], "affected": [{"vendor": "swift_framework", "product": "socialdriver-framework", "cpes": ["cpe:2.3:a:swift_framework:socialdriver-framework:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2024.0.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-21T19:52:13.508118Z", "id": "CVE-2024-2697", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:58:55.143Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:18:48.397Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:18:48.397Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-2697", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T19:52:13.508118Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:swift_framework:socialdriver-framework:*:*:*:*:*:*:*:*"], "vendor": "swift_framework", "product": "socialdriver-framework", "versions": [{"status": "affected", "version": "0", "lessThan": "2024.0.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/socialdriver-framework/swift-framework-202400-authenticated-contributor-stored-cross-site-scripting-via-shortcode"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-21T19:59:55.724Z"}}], "cna": {"title": "Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Matyas"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "socialdriver-framework", "versions": [{"status": "affected", "version": "0", "lessThan": "2024.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-05-17T06:00:01.759Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2697", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:18:48.397Z", "dateReserved": "2024-03-19T20:54:36.107Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2024-05-17T06:00:01.759Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swiftideas:swift_framework:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D2F8EE9C-5C74-4EBF-AF47-2BB9BDF6D137", "versionEndExcluding": "2024.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins."}, {"lang": "es", "value": "El complemento de WordPress socialdriver-framework anterior a 2024.0.0 no valida ni escapa algunos de sus atributos de c\u00f3digo corto antes de devolverlos a la p\u00e1gina, lo que podr\u00eda permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de Cross-Site Scripting almacenado que podr\u00edan ser utilizados contra usuarios con privilegios elevados, como administradores."}], "id": "CVE-2024-2697", "lastModified": "2025-06-30T17:58:22.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-17T06:15:51.443", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/c430b30d-61db-45f5-8499-91b491503b9c/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/socialdriver-framework/swift-framework-202400-authenticated-contributor-stored-cross-site-scripting-via-shortcode"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}