Threat Entry Updated 2024-10-25

CVE-2024-10176 - Compact Wp Audio Player Plugin

The Compact WP Audio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_embed_player shortcode in all versions up to, and including, 1.9.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Compact Wp Audio Player

CVE-2024-10176

MEDIUM CVSS 6.4 2024-10-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24735 - Compact Wp Audio Player Plugin

The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.

PLUGIN Compact Wp Audio Player

CVE-2021-24735

MEDIUM CVSS 6.5 2021-10-18

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24734 - Compact Wp Audio Player Plugin

The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.

PLUGIN Compact Wp Audio Player

CVE-2021-24734

MEDIUM CVSS 5.4 2021-10-18

Risk Score

Open Full Technical Breakdown