Lucene search
Enrico MarcoliniWPEX-ID:CA7B6A39-A910-4B4F-B9CC-BE444EC44942HistoryDec 14, 2023 - 12:00 a.m.
WP Crowdfunding < 2.1.9 - Reflected XSS
2023-12-1400:00:00
Enrico Marcolini
59
wordpress
crowdfunding
xss
security
widget
search
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
1. Add a "Campaign Search" widget to your site (via Appearance > Customise > Widgets for example)
2. Access the URL: https://www.example.com/?s="><script>alert(/XSS/)</script>&post_type=product&product_type=croudfunding
3. See the XSS.Related
cve
cve
CVE-2023-6161
2024-01-08 19:15:10
nvd
nvd
CVE-2023-6161
2024-01-08 19:15:10
wpvulndb
wpvulndb
WP Crowdfunding < 2.1.9 - Reflected XSS
2023-12-14 00:00:00
cvelist
cvelist
CVE-2023-6161 WP Crowdfunding < 2.1.9 - Reflected XSS
2024-01-08 19:00:27
prion
prion
Cross site scripting
2024-01-08 19:15:00
AI Score
6
Confidence
High
EPSS
0.001
Percentile
17.0%
Related for WPEX-ID:CA7B6A39-A910-4B4F-B9CC-BE444EC44942