Lucene search
Rohan ChaudhariWPEX-ID:A5C9FA61-E6F1-4460-84FE-977A203BD4BCHistoryMar 28, 2022 - 12:00 a.m.
Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting
2022-03-2800:00:00
Rohan Chaudhari
60
0.001 Low
EPSS
Percentile
24.8%
The plugin does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
As admin, put the following in the plugin's settings: test => "><script>alert(/XSS/)</script>
Tick the "Enable text hover in comments?", post a comment on a post/page with the 'test' word and hover over it to trigger the XSS
Can also edit a post and put the 'test' word in it to achieve the same resultRelated
patchstack
patchstack
wpvulndb
wpvulndb
Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting
2022-03-28 00:00:00
prion
prion
Cross site scripting
2022-04-18 18:15:00
cve
cve
CVE-2022-0737
2022-04-18 18:15:08
osv
osv
CVE-2022-0737
2022-04-18 18:15:08
cvelist
cvelist
CVE-2022-0737 Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting
2022-04-18 17:10:33
nvd
nvd
CVE-2022-0737
2022-04-18 18:15:08