CVE-2024-11720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shabti Frontend Admin by DynamiApps
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default.
AI Analysis
Technical Summary
CVE-2024-11720 is a stored cross-site scripting vulnerability (CWE-79) in the Frontend Admin by DynamiApps plugin for WordPress, affecting all versions up to and including 3.24.5. The issue is due to improper neutralization of input during web page generation on the new Taxonomy submission form, enabling unauthenticated attackers to inject arbitrary web scripts that execute when a user views the injected page. Exploitation depends on lower-level user permissions to submit forms, which are disabled by default. The vulnerability has a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity with scope change.
Potential Impact
Successful exploitation allows unauthenticated attackers to perform stored cross-site scripting attacks, potentially leading to arbitrary script execution in the context of users viewing the affected pages. This can result in information disclosure and integrity impacts. However, exploitation requires that lower-level users have form submission permissions enabled, which is not the default configuration. There are no known active exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability depends on lower-level user permissions to submit forms, ensure that such permissions remain disabled if not required. Monitor for vendor updates or patches addressing this issue and apply them promptly once available.
CVE-2024-11720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shabti Frontend Admin by DynamiApps
Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-11720 is a stored cross-site scripting vulnerability (CWE-79) in the Frontend Admin by DynamiApps plugin for WordPress, affecting all versions up to and including 3.24.5. The issue is due to improper neutralization of input during web page generation on the new Taxonomy submission form, enabling unauthenticated attackers to inject arbitrary web scripts that execute when a user views the injected page. Exploitation depends on lower-level user permissions to submit forms, which are disabled by default. The vulnerability has a CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity with scope change.
Potential Impact
Successful exploitation allows unauthenticated attackers to perform stored cross-site scripting attacks, potentially leading to arbitrary script execution in the context of users viewing the affected pages. This can result in information disclosure and integrity impacts. However, exploitation requires that lower-level users have form submission permissions enabled, which is not the default configuration. There are no known active exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability depends on lower-level user permissions to submit forms, ensure that such permissions remain disabled if not required. Monitor for vendor updates or patches addressing this issue and apply them promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-25T18:46:33.081Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e1ab7ef31ef0b5953a5
Added to database: 2/25/2026, 9:48:10 PM
Last enriched: 4/9/2026, 12:24:11 PM
Last updated: 4/12/2026, 3:49:27 PM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.