cleantalk
Vulnerabilities and Security Researches

Spoki – Chat Buttons and WooCommerce Notifications, CVE-2024-11893

CVE, Research URL

CVE-2024-11893

Home page URL

Security reports for Spoki – Chat Buttons and WooCommerce Notifications

Application

Spoki – Chat Buttons and WooCommerce Notifications

Published on
Dec 20, 2024
Research Description
The Spoki – Chat Buttons and WooCommerce Notifications plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spoki_button' shortcode in all versions up to, and including, 2.15.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 2.15.16.
Status
vulnerable
Previous vulnerability researches
Spoki – Chat Buttons and WooCommerce Notifications (CVE-2024-11893) , Dec 21, 2024
Spoki – Chat Buttons and WooCommerce Notifications (CVE-2025-50026) , Jul 03, 2025
New vulnerability
MDJM Event Management (CVE-2025-52824) , Jul 03, 2025
OnionBuzz (CVE-2025-53312) , Jul 03, 2025
Hide Admin Bar From Front End (CVE-2025-53267) , Jul 03, 2025
WP Visual Sitemap (CVE-2025-53290) , Jul 03, 2025
ElementsKit Elementor addons (CVE-2025-4479) , Jul 03, 2025