Lucene search
Lana CodesWPVDB-ID:BA653457-415F-4AB3-A792-42640B59302BHistoryJan 18, 2023 - 12:00 a.m.
Location Weather < 1.3.4 - Contributor+ Stored XSS
2023-01-1800:00:00
Lana Codes
wpscan.com
6
location weather
stored xss
contributor
cross-site scripting
plugin vulnerability
page/post embed
0.001 Low
EPSS
Percentile
23.5%
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PoC
Exploit Additional CSS class(es) for “Location Weather” Gutenberg block: " onmouseover=“alert(1)” style=“background:red;” Note: First, you need to add a Location Weather.
| CPE | Name | Operator | Version |
|---|---|---|---|
| location-weather | lt | 1.3.4 |
Related
cve
cve
CVE-2023-0360
2023-02-13 15:15:21
prion
prion
Cross site scripting
2023-02-13 15:15:00
wpexploit
wpexploit
Location Weather < 1.3.4 - Contributor+ Stored XSS
2023-01-18 00:00:00
cvelist
cvelist
CVE-2023-0360 Location Weather < 1.3.4 - Contributor+ Stored XSS
2023-02-13 14:32:33
nvd
nvd
CVE-2023-0360
2023-02-13 15:15:21