Lucene search
Lana CodesWPEX-ID:AE103336-A411-4EBF-A5F0-2F35701E364CHistoryJan 27, 2023 - 12:00 a.m.
Paid Memberships Pro < 2.9.9 - Contributor+ Stored XSS via Shortcode
2023-01-2700:00:00
Lana Codes
242
paid memberships pro
stored xss
shortcode
security exploit
EPSS
0.001
Percentile
25.5%
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
1. Insert the following shortcode into a page/post:
[pmpro_checkout_button class='" onmouseover="alert(1)"']
2. Browse the page and hover over the button.Related
prion
prion
Cross site scripting
2023-02-13 15:15:00
cve
cve
CVE-2022-4830
2023-02-13 15:15:20
wpvulndb
wpvulndb
Paid Memberships Pro < 2.9.9 - Contributor+ Stored XSS via Shortcode
2023-01-27 00:00:00
cvelist
cvelist
openvas
openvas
WordPress Paid Memberships Pro Plugin < 2.9.9 XSS Vulnerability
2023-02-14 00:00:00
osv
osv
CVE-2022-4830
2023-02-13 15:15:20
nvd
nvd
CVE-2022-4830
2023-02-13 15:15:20