Sydney Toolbox Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via _id – CVE-2024-2936 |WordPress Plugin Vulnerability Report

Plugin Name: Sydney Toolbox

Key Information:

  • Software Type: Plugin
  • Software Slug: sydney-toolbox
  • Software Status: Active
  • Software Author: athemes
  • Software Downloads: 2,161,148
  • Active Installs: 80,000
  • Last Updated: April 1, 2024
  • Patched Versions: 1.27
  • Affected Versions: <= 1.26

Vulnerability Details:

  • Name: Sydney Toolbox <= 1.26
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via _id
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2936
  • CVSS Score: 6.4
  • Publicly Published: March 28, 2024
  • Researchers: Ngô Thiên An (ancorn_) - VNPT-VCI and Phuoc Pham (p3tl0v3r) - VNPT Cyber Immunity
  • Description: The Sydney Toolbox plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the _id attribute of widgets, present in all versions up to, and including, 1.26. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that are executed when a user accesses an injected page.


The Sydney Toolbox plugin for WordPress has a vulnerability in versions up to and including 1.26 that allows for Stored Cross-Site Scripting via the _id attribute in widgets. This vulnerability has been addressed and patched in version 1.27.

Detailed Overview:

This vulnerability, discovered by researchers Ngô Thiên An and Phuoc Pham, highlights a critical security flaw in the Sydney Toolbox plugin, specifically in the handling of the _id attribute of widgets. Attackers with at least contributor-level access could exploit this vulnerability to inject malicious scripts into web pages, compromising the security of the site and its users. The risks associated with this vulnerability include unauthorized data access, session hijacking, and potentially even site control, underscoring the urgent need for remediation.

Advice for Users:

  • Immediate Action: Users of the Sydney Toolbox plugin should immediately update to the patched version 1.27 to mitigate the risk posed by this vulnerability.
  • Check for Signs of Vulnerability: Website administrators should review their sites for any unusual or unauthorized content changes, which may indicate that the vulnerability has been exploited.
  • Alternate Plugins: While the immediate risk has been addressed, users may consider exploring alternative plugins that offer similar functionality, especially if they have concerns about the plugin's security history.
  • Stay Updated: It's crucial to keep all WordPress plugins up to date to protect against known vulnerabilities. Regular updates and security practices can significantly enhance the security of your WordPress site.


The discovery and subsequent patching of the Stored Cross-Site Scripting vulnerability in the Sydney Toolbox plugin serve as an important reminder of the continuous need for vigilance in the digital space. The prompt action taken by the plugin developers to release a patched version reinforces the critical importance of maintaining up-to-date software. Users are encouraged to ensure their installations are updated to version 1.27 or later to safeguard against this vulnerability.


Detailed Report: 

In the bustling digital marketplace, WordPress plugins like Sydney Toolbox stand out as invaluable tools for enhancing website functionality and user experience. However, the recent discovery of a vulnerability within this popular plugin serves as a poignant reminder of the latent risks that lurk within even the most trusted digital tools. This incident not only underscores the importance of cybersecurity vigilance but also highlights the need for regular maintenance to safeguard online assets against potential threats.

Sydney Toolbox at a Glance:

The Sydney Toolbox plugin, developed by athemes, is a cornerstone for many WordPress sites, with over 80,000 active installations and more than 2 million downloads. It is celebrated for its ability to extend the capabilities of the Sydney theme, allowing users to employ custom post types, widgets, and more to craft a compelling online presence.

Unveiling the Vulnerability:

The vulnerability in question was identified in versions of Sydney Toolbox up to and including 1.26. Dubbed CVE-2024-2936, this security flaw involves Stored Cross-Site Scripting (XSS) via the _id attribute in widgets. Insufficient input sanitization and output escaping on user-supplied attributes made it possible for authenticated users with contributor-level access or higher to inject arbitrary web scripts. These scripts could then be executed unwittingly by other users, leading to a range of security breaches.

Potential Risks and Impacts:

The ramifications of such a vulnerability cannot be overstated. From unauthorized data access and session hijacking to complete site takeover, the exploit could have dire consequences for website integrity and user trust. Given the plugin's widespread use, the potential for widespread impact was significant, putting countless sites at risk of compromise.

Remediation and Response:

In response to this discovery, the developers of Sydney Toolbox acted promptly, releasing version 1.27 to patch the vulnerability. For website owners and administrators, the immediate course of action is clear: update to the latest version of the plugin without delay. Additionally, reviewing site activity and content for signs of unauthorized changes is advisable to ensure no exploitation has occurred.

Historical Context and Continuous Vigilance:

This is not the first time vulnerabilities have been identified in WordPress plugins, and Sydney Toolbox itself has had vulnerabilities in the past, with one other issue reported since February 14, 2024. These incidents collectively highlight the ongoing battle against cyber threats and the importance of continuous vigilance.


For small business owners juggling myriad responsibilities, staying abreast of every security update can seem daunting. Yet, the digital health of your business depends on this vigilance. Leveraging tools and services that monitor and manage website security can alleviate some of this burden, but a foundational understanding of the importance of regular updates is indispensable. In an era where digital threats are ever-evolving, ensuring the security of your WordPress site is not just maintenance—it's a crucial investment in your business's longevity and reputation.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Sydney Toolbox Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via _id – CVE-2024-2936 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment