logo
DATABASE RESOURCES PRICING ABOUT US

Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS

Description

The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note (WPScanTeam): The CSRF has ben fixed and proper capability checks have also been added in 5.11.1, however some sanitisation was still missing, still allowing XSS via a high privilege account in other pages and a different issue has been created for it


Related