Lucene search
Lana CodesWPVDB-ID:A30C6F1E-62FD-493D-AD5E-1B55CEEC62A9HistoryJan 26, 2023 - 12:00 a.m.
Hueman Addons <= 2.3.3 - Contributor+ Stored XSS via Shortcode
2023-01-2600:00:00
Lana Codes
wpscan.com
15
hueman addons
stored xss
shortcode
contributor role
cross-site scripting
plugin vulnerability
EPSS
0.001
Percentile
25.5%
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PoC
[column size=‘" onmouseover=“alert(1)” style=“background:red;width:100px;height:100px;”’] Required theme: https://wordpress.org/themes/hueman/ (the shortcode is added only if this theme is used, because according to the wp.org standard, add_shortcode() is plugin territory)
Related
cve
cve
CVE-2022-4784
2023-02-21 09:15:11
nvd
nvd
CVE-2022-4784
2023-02-21 09:15:11
wpexploit
wpexploit
Hueman Addons <= 2.3.3 - Contributor+ Stored XSS via Shortcode
2023-01-26 00:00:00
prion
prion
Cross site scripting
2023-02-21 09:15:00
cvelist
cvelist
CVE-2022-4784 Hueman Addons <= 2.3.3 - Contributor+ Stored XSS via Shortcode
2023-02-21 08:50:50