CPT Shortcode Generator <= 1.0 - Admin+ Stored XSS

2023-10-2600:00:00

wpscan.com

cpt shortcode generator

stored cross-site scripting

admin users

unfiltered html

plugin vulnerability

multisite setup

6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

References

patchstack.com/database/vulnerability/cpt-shortcode/wordpress-cpt-shortcode-generator-plugin-1-0-cross-site-scripting-xss-vulnerability

www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cpt-shortcode/cpt-shortcode-generator-10-authenticated-administrator-stored-cross-site-scripting-via-settings