Lucene search
Mohamed SelimWPEX-ID:090DBDF4-61E2-4B51-A3E2-76096596C514HistoryJun 05, 2023 - 12:00 a.m.
Social Media Share Buttons & Social Sharing Icons < 2.8.2 - Admin+ Stored XSS
2023-06-0500:00:00
Mohamed Selim
53
social media
share buttons
stored xss
admin+
settings
exploit
0.001 Low
EPSS
Percentile
23.3%
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Put the payload in any text field of the "8 Do you want to show a subscription form (increases sign-ups)? ยป Text above the entry field ยป Text" settings and save: " style=animation-name:rotation onanimationstart=alert(/XSS/)//
The XSS will be triggered when reaccessing the settings.Related
wpvulndb
wpvulndb
USM Premium < 16.3 - Admin+ Stored XSS
2023-06-05 00:00:00
cvelist
cvelist
CVE-2023-1166 USM Premium < 16.3 - Admin+ Stored XSS
2023-06-27 13:17:21
cve
cve
CVE-2023-1166
2023-06-27 14:15:10
wpexploit
wpexploit
USM Premium < 16.3 - Admin+ Stored XSS
2023-06-05 00:00:00
nvd
nvd
CVE-2023-1166
2023-06-27 14:15:10
prion
prion
Cross site scripting
2023-06-27 14:15:00
wordfence
wordfence