WordPress插件Five Star Business Profile and Schema跨站脚本漏洞

WordPress is the Wordpress Foundation’s set of blogging platforms developed using the PHP language. The platform supports personal blogging sites on PHP and MySQL servers. cross-site scripting vulnerabilities exist in versions of the WordPress plugin Five Star Business Profile and Schema prior to 2.1.7, which stem from the plugin’s lack of any authorization and cross-site request forged token checks in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX operations without any authorization and cross-site request forged token checks, allowing any authenticated user (such as a subscriber) to invoke them. In addition, the lack of filtering and escaping can lead to stored cross-site scripting issues. No detailed vulnerability details are currently available.