Cross site scripting

2023-01-1018:15:00

PRIOn knowledge base

www.prio-n.com

cpo companion

wordpress

cross-site scripting

stored

vulnerability

administrator-level

permissions

0.0005 Low

EPSS

Percentile

18.0%

JSON

The CPO Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its content type settings parameters in versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CPENameOperatorVersion
cpo_companionle1.0.4

CPE	Name	Operator	Version
	cpo_companion	le	1.0.4

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2844012%40cpo-companion%2Ftrunk&old=2574013%40cpo-companion%2Ftrunk&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/9195ac7e-2995-44d0-b5c6-8ffb47395f24

0.0005 Low

EPSS

Percentile

18.0%

JSON

Related for PRION:CVE-2023-0162