Lucene search
FAIYAZ AHMADWPVDB-ID:7F9271F2-4DE4-4BE3-8746-2A3F149EB1D1HistorySep 25, 2023 - 12:00 a.m.
WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting
2023-09-2500:00:00
FAIYAZ AHMAD
wpscan.com
6
wordpress
file upload
cross-site scripting
security
vulnerability
plugin
0.0004 Low
EPSS
Percentile
14.1%
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as authors to perform Stored Cross-Site Scripting attacks.
PoC
1. Add the following shortcode to a post: [wordpress_file_upload redirect=“true” redirectlink=“javascript:alert(1)”] 2. Upload any file on the resulting post. 3. After the upload completes, you will see the XSS alert in the browser.
| CPE | Name | Operator | Version |
|---|---|---|---|
| eq | 4.23.3 |
Related
nvd
nvd
CVE-2023-4811
2023-10-16 20:15:16
wpexploit
wpexploit
WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting
2023-09-25 00:00:00
zdt
zdt
WordPress File Upload Plugin < 4.23.3 - Stored XSS Vulnerability
2024-03-18 00:00:00
prion
prion
Cross site scripting
2023-10-16 20:15:00
cve
cve
CVE-2023-4811
2023-10-16 20:15:16
cvelist
cvelist