Lucene search

K
wpvulndbErdemstarWPVDB-ID:0CD5B288-05B3-48B7-9245-F59CE7377861
HistoryMay 08, 2024 - 12:00 a.m.

Playlist for Youtube <= 1.32 - Editor+ Stored XSS

2024-05-0800:00:00
Erdemstar
wpscan.com
4
plugin
stored cross-site scripting
admin
unfiltered html
multisite setup
vulnerability} .

AI Score

5.4

Confidence

High

EPSS

0

Percentile

9.0%

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

1. Go to https://example.com/wp-admin/admin.php?page=playlists_yt_free 2. For the Playlist Name and/or Video size add the payload "&gt; 3. Click “Add” and see the XSS

AI Score

5.4

Confidence

High

EPSS

0

Percentile

9.0%

Related for WPVDB-ID:0CD5B288-05B3-48B7-9245-F59CE7377861