The plugin does not sanitise user input when creating or editing a business in the dashboard, allowing high privilege users (Editor+) to set XSS payloads in various fields.
Login as an editor or admin, then add/edit a business and set the phone number as "> The payload will then be executed in the business list dashboard. Other affected fields: Country, State, Social media url, E-mail, City, Zip, Address, Location and Hours
CPE | Name | Operator | Version |
---|---|---|---|
chamber-dashboard-business-directory | lt | 3.3.1 |