Lucene search
MINGYOUNG BANWPVDB-ID:58F7C9AA-5E59-468F-ABA9-B15E7942FD37HistoryDec 21, 2023 - 12:00 a.m.
Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS
2023-12-2100:00:00
MINGYOUNG BAN
wpscan.com
6
keap official opt-in forms
stored xss
admin privilege
multisite setup
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
PoC
1. Store the script in non-sanitized fields like ‘Opt in title’, ‘Opt in message’, and ‘Success Message text’: 2. Visit the website, and then the script gets executed.
Related
prion
prion
Cross site scripting
2024-01-15 16:15:00
cve
cve
CVE-2023-6941
2024-01-15 16:15:12
wpexploit
wpexploit
Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS
2023-12-21 00:00:00
cvelist
cvelist
CVE-2023-6941 Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS
2024-01-15 15:10:38
nvd
nvd
CVE-2023-6941
2024-01-15 16:15:12
5.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.2%
Related for WPVDB-ID:58F7C9AA-5E59-468F-ABA9-B15E7942FD37