Lucene search
Vaishnav RajeevanWPEX-ID:845BBFDD-FE9F-487C-91A0-5FE10403D8A2HistoryOct 27, 2023 - 12:00 a.m.
PubyDoc <= 2.0.6 - Admin+ Stored XSS
2023-10-2700:00:00
Vaishnav Rajeevan
25
pubydoc
admin
stored xss
injection
wordpress
0.0004 Low
EPSS
Percentile
14.1%
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
1) After the installing the plugin, create a new table at /wp-admin/admin.php?page=pyt-tables&tab=tables-new, and insert the following malicious XSS payload in its "Title" field: `"><img src=x onerror=confirm(1)>`
2) Save the payload, and notice the injection alert() box popping up when viewing the full list of tables in `/wp-admin/admin.php?page=pyt-tables&tab=tables`Related
prion
prion
Cross site scripting
2023-11-20 19:15:00
wpvulndb
wpvulndb
PubyDoc <= 2.0.6 - Admin+ Stored XSS
2023-10-27 00:00:00
nvd
nvd
CVE-2023-4970
2023-11-20 19:15:09
cve
cve
CVE-2023-4970
2023-11-20 19:15:09
cvelist
cvelist
CVE-2023-4970 PubyDoc <= 2.0.6 - Admin+ Stored XSS
2023-11-20 18:55:02
wordfence
wordfence