CVE-2024-4381

CVE-2024-4381 affects the CB (legacy) WordPress plugin, versions up to 0.9.4.18, due to incomplete sanitisation/escaping of some settings. This can let high-privilege users (e.g., administrators) perform Stored XSS, even when unfiltered_html is disallowed (e.g., multisite). Public details confirm...

WordPress CB (legacy) Plugin <= 0.9.4.18 is vulnerable to Cross Site Scripting (XSS)

Software CB legacy Type Plugin Vulnerable versions = 0.9.4.18 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-4381 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 4e6302b904fc Credits Bob Matyas Required privilege...

WordPress CB (legacy) Plugin <= 0.9.4.18 is vulnerable to Cross Site Request Forgery (CSRF)

Software CB legacy Type Plugin Vulnerable versions = 0.9.4.18 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-4382 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID c0af2ef4c714 Credits Bob Matyas Required...

CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to...