Lucene search
Dmitrii IgnatyevWPEX-ID:996D3247-EBDD-49D1-A1A3-CEEDCF9F2F95HistoryMay 28, 2024 - 12:00 a.m.
FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS
2024-05-2800:00:00
Dmitrii Ignatyev
7
foobox
premium
vulnerability
update
xss
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Go to settings and change the "Specific CSS classes" field to 123"</script><img src=x onerror=alert(1)>alert(1) (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)References
Related
cvelist
cvelist
CVE-2024-3276 FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS
2024-06-18 06:00:02
wpvulndb
wpvulndb
FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS
2024-05-28 00:00:00
nvd
nvd
CVE-2024-3276
2024-06-18 06:15:12
cve
cve
CVE-2024-3276
2024-06-18 06:15:12
wordfence
wordfence
7.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:996D3247-EBDD-49D1-A1A3-CEEDCF9F2F95