Lucene search
Bob MatyasWPVDB-ID:6A2EB871-6B6E-4DBB-99F0-DD74D6C61E83HistoryJan 30, 2024 - 12:00 a.m.
Persian Fonts <= 1.6 - Admin+ Stored XSS
2024-01-3000:00:00
Bob Matyas
wpscan.com
4
persian fonts version 1.6 xss stored cross-site scripting admin users unfiltered_html capability multisite
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PoC
1. Navigate to: https://example.com/wp-admin/admin.php?page=persian-fonts%2Fpersian-fonts.php 2. In the textarea, add the payload: 3. Click “Save changes” and see the XSS on reload
Related
prion
prion
Cross site scripting
2024-02-27 09:15:00
cvelist
cvelist
CVE-2023-7167 Persian Fonts <= 1.6 - Admin+ Stored XSS
2024-02-27 08:30:24
nvd
nvd
CVE-2023-7167
2024-02-27 09:15:37
wpexploit
wpexploit
Persian Fonts <= 1.6 - Admin+ Stored XSS
2024-01-30 00:00:00
cve
cve
CVE-2023-7167
2024-02-27 09:15:37
wordfence
wordfence
7.7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPVDB-ID:6A2EB871-6B6E-4DBB-99F0-DD74D6C61E83