5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
11.9%
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
Note: First, you need to connect a Google My Business, select Account, and select Location. Exploit shortcode: [gmb-review location=‘accounts/116528705904907295451/locations/18424478508029415538’ autoplay=“’ onmouseover=‘alert(1)’ style=‘background:red;width:100px;height:100px;’”]
CPE | Name | Operator | Version |
---|---|---|---|
wp-google-my-business-auto-publish | lt | 3.4 |
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
11.9%