Lucene search
Bartlomiej MarekWPEX-ID:9EC03EF0-0C04-4517-B761-DF87AF722A64HistoryOct 16, 2023 - 12:00 a.m.
URL Shortify < 1.7.9.1 - Admin+ Stored XSS
2023-10-1600:00:00
Bartlomiej Marek
27
url shortify
plugin
xss
vulnerability
admin+
stored
edit link
edit group
parameters
0.0004 Low
EPSS
Percentile
14.1%
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Multiple parameters in the plugin's settings are vulnerable to cross-site scripting.
Links -> Edit Link
- "Short URL" payload: `9onp" onmouseover=alert(3) abc="`
- "Title" payload: `KaizenCoders" onmouseover=alert(1) abc="`
Groups -> Edit Group
- "Name" payload: `title" onmouseover=alert(2) abc="`Related
cvelist
cvelist
CVE-2023-5605 URL Shortify < 1.7.9.1 - Admin+ Stored XSS
2023-11-06 20:42:09
cve
cve
CVE-2023-5605
2023-11-06 21:15:10
wpvulndb
wpvulndb
URL Shortify < 1.7.9.1 - Admin+ Stored XSS
2023-10-16 00:00:00
nvd
nvd
CVE-2023-5605
2023-11-06 21:15:10
prion
prion
Cross site scripting
2023-11-06 21:15:00
wordfence
wordfence