CVE-2024-7090 MEDIUM

CVE-2024-7090: LH Add Media From Url <= 1.23 - Reflected Cross-Site Scripting

Vendor Shawfactor

Product LH Add Media From Url

Weakness CWE-79 · XSS

Published August 21, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The LH Add Media From Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘lh_add_media_from_url-file_url’ parameter in all versions up to, and including, 1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

August 21, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-7090

Related vulnerabilities

04Related CVE

CVE-2024-11339 Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-12221 Turnkey bbPress by WeaverTheme <= 1.6.3 - Reflected Cross-Site Scripting via _wpnonce Parameter CVE-2026-22256 Salvo is vulnerable to reflected XSS in the list_html function CVE-2026-39708 WordPress UiCore Elements plugin <= 1.3.14 - Cross Site Scripting (XSS) vulnerability CVE-2025-26891 WordPress Ibtana plugin <= 1.2.5.9 - Cross Site Scripting (XSS) vulnerability