Lucene search
David Suho LeeWPEX-ID:2ADC5995-03A9-4860-B00B-7F8D7FE18058HistoryNov 28, 2023 - 12:00 a.m.
WP Crowdfunding < 2.1.8 - Admin+ Stored XSS
2023-11-2800:00:00
David Suho Lee
31
wordpress
crowdfunding
xss
admin
security
exploit
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Add a campaign and for the reward descrption enter the payload `<script>alert(1)</script>`
2. When the campaign is published, view it in the campaign list and see the alert box.Related
cve
cve
CVE-2023-5757
2023-12-11 20:15:07
prion
prion
Cross site scripting
2023-12-11 20:15:00
wpvulndb
wpvulndb
WP Crowdfunding < 2.1.8 - Admin+ Stored XSS
2023-11-28 00:00:00
cvelist
cvelist
CVE-2023-5757 WP Crowdfunding < 2.1.8 - Admin+ Stored XSS
2023-12-11 19:22:40
nvd
nvd
CVE-2023-5757
2023-12-11 20:15:07
5.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.1%
Related for WPEX-ID:2ADC5995-03A9-4860-B00B-7F8D7FE18058