Lucene search
ErdemstarWPVDB-ID:0CD5B288-05B3-48B7-9245-F59CE7377861HistoryMay 08, 2024 - 12:00 a.m.
Playlist for Youtube <= 1.32 - Editor+ Stored XSS
2024-05-0800:00:00
Erdemstar
wpscan.com
3
plugin
stored cross-site scripting
admin
unfiltered html
multisite setup
vulnerability}
.
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PoC
1. Go to https://example.com/wp-admin/admin.php?page=playlists_yt_free 2. For the Playlist Name and/or Video size add the payload "> 3. Click “Add” and see the XSS
Related
wpexploit
wpexploit
Playlist for Youtube <= 1.32 - Editor+ Stored XSS
2024-05-08 00:00:00
nvd
nvd
CVE-2024-3937
2024-05-29 06:18:32
cvelist
cvelist
CVE-2024-3937 Playlist for Youtube <= 1.32 - Editor+ Stored XSS
2024-05-29 06:00:02
cve
cve
CVE-2024-3937
2024-05-29 06:18:32
vulnrichment
vulnrichment
CVE-2024-3937 Playlist for Youtube <= 1.32 - Editor+ Stored XSS
2024-05-29 06:00:02
wordfence
wordfence
5.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Related for WPVDB-ID:0CD5B288-05B3-48B7-9245-F59CE7377861