Lucene search

K
wpvulndbDmitrii IgnatyevWPVDB-ID:635BE98D-4C17-4E75-871F-9794D85A2EB1
HistoryMay 27, 2024 - 12:00 a.m.

PostX < 4.1.0 - Contributor+ Stored XSS

2024-05-2700:00:00
Dmitrii Ignatyev
wpscan.com
5
postx
4.1.0
stored xss
contributor+ role
poc
june 10 2024
update
software

AI Score

8.3

Confidence

High

Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PoC

As a contributor, put the below code in a post while in Code Editor mode The XSS will be triggered when (pre)viewing the post and moving the mouse over the ClickMe! text

AI Score

8.3

Confidence

High

Related for WPVDB-ID:635BE98D-4C17-4E75-871F-9794D85A2EB1