Lucene search
Hao Huynh, My LeWPEX-ID:42B1F017-C497-4825-B12A-8DCE3E108A55HistoryMay 25, 2023 - 12:00 a.m.
File Renaming on Upload < 2.5.2 - Admin+ Stored Cross-Site Scripting
2023-05-2500:00:00
Hao Huynh, My Le
89
file renaming
upload
cross-site scripting
vulnerability
plugin's settings
EPSS
0.001
Percentile
21.5%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Multiple inputs in the plugin's settings -- for example `frou_filenaming_rules_opt[datetime_format]` -- are vulnerable to XSS. Entering the string `Y-m-d_H-i-s_u\<\s\c\r\i\p\t\>\a\l\e\r\t\(\1\)\<\/\s\c\r\i\p\t\>` into setting textboxes results in XSS. Related
prion
prion
Cross site scripting
2023-06-19 11:15:00
cvelist
cvelist
cve
cve
CVE-2023-2684
2023-06-19 11:15:10
wpvulndb
wpvulndb
File Renaming on Upload < 2.5.2 - Admin+ Stored Cross-Site Scripting
2023-05-25 00:00:00
nvd
nvd
CVE-2023-2684
2023-06-19 11:15:10
wordfence
wordfence