Lucene search
Raad Haddad of Cloudyrion GmbHWPEX-ID:EA0180CD-E018-43EA-88B9-FA8E71BF34BFHistoryJul 05, 2022 - 12:00 a.m.
WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting
2022-07-0500:00:00
Raad Haddad of Cloudyrion GmbH
130
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
On http://target.tld/wp-admin/edit.php?post_type=spucpt&page=spu_settings
Add the payload "><script>alert(/XSS/)</script> on the Affiliate link text fieldRelated
wpvulndb
wpvulndb
WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting
2022-07-05 00:00:00
patchstack
patchstack
cve
cve
CVE-2022-2305
2022-08-01 13:15:00
prion
prion
Cross site scripting
2022-08-01 13:15:00
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Related for WPEX-ID:EA0180CD-E018-43EA-88B9-FA8E71BF34BF