Lucene search
Ankur BakreWPEX-ID:F90C528B-8C3A-4F9A-AA36-099C24ABE082HistoryMar 28, 2022 - 12:00 a.m.
Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting
2022-03-2800:00:00
Ankur Bakre
61
thank me later
stored cross-site scripting
admin+
exploit
vulnerability
cross-site scripting
messages list
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Add/Edit a message and put the following payload in the Subject field: "><img src onerror=prompt(/XSS/)>
The XSS will be triggered in the Messages list (/wp-admin/admin.php?page=bbpp_thankmelater)Related
cve
cve
CVE-2022-1063
2022-04-18 18:15:08
wpvulndb
wpvulndb
Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting
2022-03-28 00:00:00
cnvd
cnvd
WordPress plugin Thank Me Later cross-site scripting vulnerability
2022-04-19 00:00:00
prion
prion
Cross site scripting
2022-04-18 18:15:00
cvelist
cvelist
CVE-2022-1063 Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting
2022-04-18 17:10:49
patchstack
patchstack
nvd
nvd
CVE-2022-1063
2022-04-18 18:15:08