Lucene search
Dipak Panchal (th3.d1pak)WPEX-ID:3C76D0F4-2EA8-433D-AFB2-E35E45630899HistoryJun 19, 2023 - 12:00 a.m.
Float menu < 5.0.3 - Admin+ Stored Cross-Site Scripting
2023-06-1900:00:00
Dipak Panchal (th3.d1pak)
56
float menu
admin+ stored cross-site scripting
vulnerability
plugin settings
xss
0.001 Low
EPSS
Percentile
19.5%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Add a new item in the plugin settings
2. Enter the payload `javascript:alert(/XSS/);` in the "Link" field
3. Go to the homepage, and click on the generated link to trigger the XSS
Related
prion
prion
Cross site scripting
2023-07-10 16:15:00
cve
cve
CVE-2023-3225
2023-07-10 16:15:55
wpvulndb
wpvulndb
Float menu < 5.0.3 - Admin+ Stored Cross-Site Scripting
2023-06-19 00:00:00
nvd
nvd
CVE-2023-3225
2023-07-10 16:15:55
cvelist
cvelist
CVE-2023-3225 Float menu < 5.0.3 - Admin+ Stored Cross-Site Scripting
2023-07-10 12:41:13
wordfence
wordfence