Lucene search
Bob MatyasWPEX-ID:ADC6EA6D-29D8-4AD0-B0DB-2540E8B3F9A9HistoryMay 31, 2024 - 12:00 a.m.
Google CSE <= 1.0.7 - Admin+ Stored XSS
2024-05-3100:00:00
Bob Matyas
10
google cse
stored xss
admin+
vulnerability
exploit
web security
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
1. Go to https://example.com/wp-admin/options-general.php?page=google-cse-options
2. Enter the payload `da"><script>alert(1)</script>` for either input and save
3. See the XSSRelated
wpvulndb
wpvulndb
Google CSE <= 1.0.7 - Authenticated (Admin+) Stored Cross-Site Scripting
2024-06-05 00:00:00
Google CSE <= 1.0.7 - Admin+ Stored XSS
2024-05-31 00:00:00
cve
cve
CVE-2024-4755
2024-06-21 06:15:12
CVE-2024-5656
2024-06-06 05:15:49
cvelist
cvelist
CVE-2024-4755 Google CSE <= 1.0.7 - Admin+ Stored XSS
2024-06-21 06:00:05
vulnrichment
vulnrichment
CVE-2024-4755 Google CSE <= 1.0.7 - Admin+ Stored XSS
2024-06-21 06:00:05
nvd
nvd
CVE-2024-4755
2024-06-21 06:15:12
CVE-2024-5656
2024-06-06 05:15:49
wordfence
wordfence
5.6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.2%
Related for WPEX-ID:ADC6EA6D-29D8-4AD0-B0DB-2540E8B3F9A9