Lucene search
Bob MatyasWPEX-ID:6E167864-C304-402E-8B2D-D47B5A3767D1HistoryJul 10, 2023 - 12:00 a.m.
Short URL < 1.6.5 - Admin+ Cross Site Scripting
2023-07-1000:00:00
Bob Matyas
49
short url admin+ cross site scripting
wordpress plugin
poc
external url
comments
xss
wordpress v5.8.7
exploit
0.0004 Low
EPSS
Percentile
14.1%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
In the plugin settings, add the POC <script>alert(1)</script> to the "External URL" or "Comments" fields and reload to see XSS.
Note: This must be tested on WordPress v5.8.7Related
cve
cve
CVE-2023-3130
2023-07-31 10:15:10
prion
prion
Cross site scripting
2023-07-31 10:15:00
cvelist
cvelist
CVE-2023-3130 Short URL < 1.6.5 - Admin+ Cross Site Scripting
2023-07-31 09:37:34
nvd
nvd
CVE-2023-3130
2023-07-31 10:15:10
wpvulndb
wpvulndb
Short URL < 1.6.5 - Admin+ Cross Site Scripting
2023-07-10 00:00:00
wordfence
wordfence