WWordPress Vulnerability Database

Community Alert XSS in ONLYOFFICE DocSpace(CVE202411750)

Cross Site Scripting (XSS) in WordPress ONLYOFFICE DocSpace Plugin
0
Shares
0
0
0
0
Plugin Name ONLYOFFICE DocSpace
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2024-11750
Urgency Low
CVE Publish Date 2026-02-03
Source URL CVE-2024-11750

Authenticated (Contributor) Stored XSS in ONLYOFFICE DocSpace (<= 2.1.1) — What Site Owners Must Do Now

Author: Hong Kong Security Expert — Date: 2026-02-03

Summary: A stored Cross‑Site Scripting (XSS) vulnerability in ONLYOFFICE DocSpace versions ≤ 2.1.1 (CVE‑2024‑11750) allows an authenticated user with Contributor privileges to store script payloads that execute in other users’ browsers. Version 2.1.2 contains the fix. This advisory provides a concise technical summary, realistic attack scenarios, detection techniques, and clear mitigation steps for site owners and administrators — with practical options when immediate updating is not possible.

Table of contents

  • Overview: what happened
  • Technical summary: how the vulnerability works
  • Realistic attack scenarios and impact
  • Affected versions and CVE / CVSS context
  • Immediate steps for site administrators
  • How to detect whether you’ve been targeted
  • How to mitigate when you cannot immediately update
  • Long‑term hardening and best practices
  • How virtual patching helps immediately
  • Practical commands and code snippets (appendix)
  • Final notes and recommended timeline

Overview: what happened

On 3 February 2026 a stored Cross‑Site Scripting (XSS) issue in ONLYOFFICE DocSpace was disclosed publicly. The vulnerability (CVE‑2024‑11750) allows a Contributor (an authenticated user with limited privileges) to submit content that is later rendered without sufficient sanitization or encoding, resulting in script execution when another user views the affected page or document entry. The plugin author released a patch in version 2.1.2.

This advisory is written for WordPress site owners and administrators — especially teams in Hong Kong managing multi‑author sites, intranets, or learning platforms where Contributor accounts are common. Read this and act quickly: the fix is simple (update), but interim controls reduce exposure while you test and deploy the patch.

Technical summary: how the vulnerability works

Stored XSS occurs when attacker-controlled data is stored on the server and later rendered into pages without proper validation, sanitization, and output encoding.

  • Required privilege: Contributor (can create content but typically cannot publish or manage plugins).
  • Vulnerability type: Stored Cross‑Site Scripting (persistent XSS).
  • Trigger: A Contributor injects a payload into fields the plugin stores (title, description, comments, metadata). Those fields are later displayed verbatim in admin or public views.
  • Exploitation risk: If an admin or other high‑privilege user views the payload, the script executes in that user’s browser context, allowing cookie/token theft, privileged actions via authenticated requests, or workspace compromise.
  • Fix: Update to ONLYOFFICE DocSpace 2.1.2 — the patch ensures appropriate sanitization/encoding of affected fields.

Realistic attack scenarios and impact

Stored XSS is persistent and can be weaponised when higher‑privilege users trigger it. Examples:

  • Administrator account compromise: A Contributor plants a script in a document description. When an administrator opens the document, the script exfiltrates session tokens to an attacker and allows site takeover.
  • Content defacement or misinformation: Injected markup adds deceptive banners or popups on editorial pages, damaging reputation.
  • CSRF chaining: The script performs background requests to admin endpoints, changing settings or creating users if endpoint protections are weak.
  • Supply‑chain pivot: The script locates internal document IDs, API keys, or other sensitive UI items and leaks them.

Even if exploitation requires a privileged user to view content, the risk is significant for editorial workflows where admins regularly preview submissions.

Affected versions and CVE / CVSS context

  • Affected: ONLYOFFICE DocSpace ≤ 2.1.1
  • Fixed in: 2.1.2
  • CVE: CVE‑2024‑11750
  • CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (score ~6.5)

Notes on vector: attacker needs network access and a Contributor account. A privileged user must view or interact with the malicious content (UI:R). Scope is C — impact can cross privilege boundaries.

Immediate steps for site administrators (fastest risk reduction)

  1. Update the plugin (recommended): Apply ONLYOFFICE DocSpace 2.1.2 as soon as possible. Test on staging before production when feasible.
  2. If you cannot update immediately — short‑term mitigations:
    • Temporarily suspend or remove untrusted Contributor accounts you cannot validate.
    • Change roles for Contributors to Subscriber or a tighter custom role until the patch is applied.
    • Enforce content moderation: require drafts and admin/editor approval before submitted content is viewed by higher‑privilege users.
  3. Apply virtual patching with a WAF: If updating is delayed, deploy WAF rules to block likely XSS payloads on plugin endpoints (see rule suggestions below). Virtual patching can stop exploit attempts before they reach application logic.
  4. Scan for malicious content: Search posts, postmeta, comments, and plugin metadata for XSS markers such as
  5. Rotate admin credentials if compromise suspected: Force password resets, invalidate sessions, and rotate any exposed tokens.
  6. Audit high‑privilege actions: Review recent plugin/theme changes, new users, and scheduled tasks for signs of compromise.

How to detect whether you’ve been targeted

Detection combines automated scanning with manual review.

  1. Database search for script tags (quick): Use WP‑CLI or direct DB queries (backup first). Example commands:
# Find posts containing