Search
Find a vulnerability
Search criteria
4 vulnerabilities found for Web Stories by Google
CVE-2024-54317 (GCVE-0-2024-54317)
Vulnerability from nvd – Published: 2024-12-13 14:25 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Web Stories plugin <= 1.37.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Google Web Stories web-stories allows Stored XSS.This issue affects Web Stories: from n/a through <= 1.37.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Web Stories |
Affected:
0 , ≤ 1.37.0
(custom)
|
Date Public
2026-04-01 16:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T16:15:29.201089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T16:15:39.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "web-stories",
"product": "Web Stories",
"vendor": "Google",
"versions": [
{
"changes": [
{
"at": "1.38.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.37.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "shinobu | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:30:29.623Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Google Web Stories web-stories allows Stored XSS.\u003cp\u003eThis issue affects Web Stories: from n/a through \u003c= 1.37.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Google Web Stories web-stories allows Stored XSS.This issue affects Web Stories: from n/a through \u003c= 1.37.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:49.911Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/web-stories/vulnerability/wordpress-web-stories-plugin-1-37-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Web Stories plugin \u003c= 1.37.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54317",
"datePublished": "2024-12-13T14:25:24.510Z",
"dateReserved": "2024-12-02T12:04:52.947Z",
"dateUpdated": "2026-04-28T16:10:49.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3708 (GCVE-0-2022-3708)
Vulnerability from nvd – Published: 2022-10-28 18:58 – Updated: 2026-04-08 17:01
VLAI
Title
Web Stories <= 1.24.0 - Server Side Request Forgery
Summary
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Web Stories |
Affected:
0 , ≤ 1.24.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:57.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/web-stories"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34b"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3708"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:14:07.288549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T12:57:12.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Stories",
"vendor": "google",
"versions": [
{
"lessThanOrEqual": "1.24.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aymen Borgi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the \u0027url\u0027 parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:48.973Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0e?source=cve"
},
{
"url": "https://wordpress.org/plugins/web-stories"
},
{
"url": "https://github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0"
},
{
"url": "https://github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34b"
},
{
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3708"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-10-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Web Stories \u003c= 1.24.0 - Server Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-3708",
"datePublished": "2022-10-28T18:58:21.842Z",
"dateReserved": "2022-10-26T21:31:29.199Z",
"dateUpdated": "2026-04-08T17:01:48.973Z",
"requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54317 (GCVE-0-2024-54317)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:25 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Web Stories plugin <= 1.37.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Google Web Stories web-stories allows Stored XSS.This issue affects Web Stories: from n/a through <= 1.37.0.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Web Stories |
Affected:
0 , ≤ 1.37.0
(custom)
|
Date Public
2026-04-01 16:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T16:15:29.201089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T16:15:39.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "web-stories",
"product": "Web Stories",
"vendor": "Google",
"versions": [
{
"changes": [
{
"at": "1.38.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.37.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "shinobu | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:30:29.623Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Google Web Stories web-stories allows Stored XSS.\u003cp\u003eThis issue affects Web Stories: from n/a through \u003c= 1.37.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Google Web Stories web-stories allows Stored XSS.This issue affects Web Stories: from n/a through \u003c= 1.37.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:49.911Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/web-stories/vulnerability/wordpress-web-stories-plugin-1-37-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Web Stories plugin \u003c= 1.37.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54317",
"datePublished": "2024-12-13T14:25:24.510Z",
"dateReserved": "2024-12-02T12:04:52.947Z",
"dateUpdated": "2026-04-28T16:10:49.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3708 (GCVE-0-2022-3708)
Vulnerability from cvelistv5 – Published: 2022-10-28 18:58 – Updated: 2026-04-08 17:01
VLAI
Title
Web Stories <= 1.24.0 - Server Side Request Forgery
Summary
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Web Stories |
Affected:
0 , ≤ 1.24.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:57.117Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/web-stories"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34b"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3708"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:14:07.288549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T12:57:12.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Stories",
"vendor": "google",
"versions": [
{
"lessThanOrEqual": "1.24.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aymen Borgi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the \u0027url\u0027 parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:48.973Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7817a840-325a-4709-8374-84bb32d98d0e?source=cve"
},
{
"url": "https://wordpress.org/plugins/web-stories"
},
{
"url": "https://github.com/GoogleForCreators/web-stories-wp/compare/v1.24.0...v1.25.0"
},
{
"url": "https://github.com/GoogleForCreators/web-stories-wp/commit/3ad2099f95155d658624ffac2e34ce0da739e34b"
},
{
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3708"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-10-26T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Web Stories \u003c= 1.24.0 - Server Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-3708",
"datePublished": "2022-10-28T18:58:21.842Z",
"dateReserved": "2022-10-26T21:31:29.199Z",
"dateUpdated": "2026-04-08T17:01:48.973Z",
"requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}