Lucene search
WpvulndbWPVDB-ID:CF51FA0A-356C-487C-883F-634FA8F90E73HistoryNov 28, 2022 - 12:00 a.m.
FlyingPress < 3.9.7 - Arbitrary Settings Update to Stored XSS
2022-11-2800:00:00
wpscan.com
4
flyingpress
plugin
arbitrary settings
stored xss
authorization
ajax actions
authenticated users
subscribers
static files url
malicious cdn
The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscribers to call them. One of those actions could allow them to rewrite static files URL (JS, CSS etc) to a malicious CDN under their control, which could lead to XSS
| CPE | Name | Operator | Version |
|---|---|---|---|
| flying-press | lt | 3.9.7 |