Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry plugin <= 10.0.1 versions.

**Solution**

 Fixed

Update the WordPress PowerPress Podcasting plugin to the latest available version (at least 10.0.2).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress PowerPress Podcasting Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 10.0.2.

**Other vulnerabilities in this plugin**

 0 present

 7 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-30778: WordPress PowerPress Podcasting plugin by Blubrry plugin <= 10.0.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.

CVE-2023-2916: core.class.php in iwp-client/tags/1.11.1 – WordPress Plugin Repository

The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Timestamp:

08/11/2023 10:14:44 PM (10 days ago)

specialk

Message:

Updates plugin to version 20230811  

Location:

user-submitted-posts

Files:

  

*   tags/20230811 _(copied from user-submitted-posts/trunk)_
*   tags/20230811/library/plugin-display.php (1 diff)
*   tags/20230811/library/shortcode-misc.php (3 diffs)
*   tags/20230811/readme.txt (2 diffs)
*   tags/20230811/user-submitted-posts.php (2 diffs)
*   trunk/library/plugin-display.php (1 diff)
*   trunk/library/shortcode-misc.php (3 diffs)
*   trunk/readme.txt (2 diffs)
*   trunk/user-submitted-posts.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **user-submitted-posts/tags/20230811/library/plugin-display.php**
    
    r2944386
    
    r2952471
    
     
    
    739
    
    739
    
    <pre>class  = classes for the parent element (optional, default: none)
    
    740
    
    740
    
    value  = link text (optional, default: "Reset form")
    
    741
    
     
    
    url    = the URL where your form is displayed (required, default: none)
    
    742
    
     
    
    custom = any attributes or custom code for the link element (optional, default: none)</pre>
    
     
    
    741
    
    url    = the URL where your form is displayed (required, default: none)</pre>
    
    743
    
    742
    
                                    <p><?php esc\_html\_e('Note that the url attribute accepts', 'usp'); ?> <code>%%current%%</code> <?php esc\_html\_e('to get the current URL.', 'usp'); ?></p>
    
    744
    
    743
    
                                </div>
    
*   **user-submitted-posts/tags/20230811/library/shortcode-misc.php**
    
    r2951862
    
    r2952471
    
     
    
    9
    
    9
    
            value  = link text (optional, default: "Reset form")
    
    10
    
    10
    
            url    = the URL where your form is displayed (can use %%current%% for current URL)
    
    11
    
     
    
            custom = any attributes or custom code for the link element
    
    12
    
    11
    
       
    
    13
    
    12
    
    \*/
    
    …
    
    …
    
     
    
    15
    
    14
    
       
    
    16
    
    15
    
        extract(shortcode\_atts(array(
    
    17
    
     
    
            'class'  => '',
    
    18
    
     
    
            'value'  => \_\_('Reset form', 'usp'),
    
    19
    
     
    
            'url'    => '#please-check-shortcode',
    
    20
    
     
    
            'custom' => '',
    
     
    
    16
    
            'class' => '',
    
     
    
    17
    
            'value' => \_\_('Reset form', 'usp'),
    
     
    
    18
    
            'url'   => '#please-check-shortcode',
    
    21
    
    19
    
        ), $args));
    
    22
    
    20
    
       
    
    …
    
    …
    
     
    
    35
    
    33
    
        $class = empty($class) ? '' : ' class="'. esc\_attr($class) .'"';
    
    36
    
    34
    
       
    
    37
    
     
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"'. esc\_attr($custom) .'\>'. esc\_html($value) .'</a></p>';
    
     
    
    35
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"\>'. esc\_html($value) .'</a></p>';
    
    38
    
    36
    
       
    
    39
    
    37
    
        return $output;
    
*   **user-submitted-posts/tags/20230811/readme.txt**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
    Requires at least: 4.6
    
    12
    
    12
    
    Tested up to: 6.3
    
    13
    
     
    
    Stable tag: 20230809
    
    14
    
     
    
    Version:    20230809
    
     
    
    13
    
    Stable tag: 20230811
    
     
    
    14
    
    Version:    20230811
    
    15
    
    15
    
    Requires PHP: 5.6.20
    
    16
    
    16
    
    Text Domain: usp
    
    …
    
    …
    
     
    
    819
    
    819
    
    820
    
    820
    
     
    
    821
    
    \*\*20230811\*\*
    
     
    
    822
    
     
    
    823
    
    \* Removes \`$custom\` variable from \`usp\_reset\_button\_shortcode()\`
    
     
    
    824
    
    \* Tests on WordPress 6.3
    
     
    
    825
    
    821
    
    826
    
    \*\*20230809\*\*
    
    822
    
    827
    
*   **user-submitted-posts/tags/20230811/user-submitted-posts.php**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
        Requires at least: 4.6
    
    12
    
    12
    
        Tested up to: 6.3
    
    13
    
     
    
        Stable tag: 20230809
    
    14
    
     
    
        Version:    20230809
    
     
    
    13
    
        Stable tag: 20230811
    
     
    
    14
    
        Version:    20230811
    
    15
    
    15
    
        Requires PHP: 5.6.20
    
    16
    
    16
    
        Text Domain: usp
    
    …
    
    …
    
     
    
    39
    
    39
    
    40
    
    40
    
    if (!defined('USP\_WP\_VERSION')) define('USP\_WP\_VERSION', '4.6');
    
    41
    
     
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230809');
    
     
    
    41
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230811');
    
    42
    
    42
    
    if (!defined('USP\_PLUGIN'))     define('USP\_PLUGIN', esc\_html\_\_('User Submitted Posts', 'usp'));
    
    43
    
    43
    
    if (!defined('USP\_FILE'))       define('USP\_FILE', plugin\_basename(\_\_FILE\_\_));
    
*   **user-submitted-posts/trunk/library/plugin-display.php**
    
    r2944386
    
    r2952471
    
     
    
    739
    
    739
    
    <pre>class  = classes for the parent element (optional, default: none)
    
    740
    
    740
    
    value  = link text (optional, default: "Reset form")
    
    741
    
     
    
    url    = the URL where your form is displayed (required, default: none)
    
    742
    
     
    
    custom = any attributes or custom code for the link element (optional, default: none)</pre>
    
     
    
    741
    
    url    = the URL where your form is displayed (required, default: none)</pre>
    
    743
    
    742
    
                                    <p><?php esc\_html\_e('Note that the url attribute accepts', 'usp'); ?> <code>%%current%%</code> <?php esc\_html\_e('to get the current URL.', 'usp'); ?></p>
    
    744
    
    743
    
                                </div>
    
*   **user-submitted-posts/trunk/library/shortcode-misc.php**
    
    r2951862
    
    r2952471
    
     
    
    9
    
    9
    
            value  = link text (optional, default: "Reset form")
    
    10
    
    10
    
            url    = the URL where your form is displayed (can use %%current%% for current URL)
    
    11
    
     
    
            custom = any attributes or custom code for the link element
    
    12
    
    11
    
       
    
    13
    
    12
    
    \*/
    
    …
    
    …
    
     
    
    15
    
    14
    
       
    
    16
    
    15
    
        extract(shortcode\_atts(array(
    
    17
    
     
    
            'class'  => '',
    
    18
    
     
    
            'value'  => \_\_('Reset form', 'usp'),
    
    19
    
     
    
            'url'    => '#please-check-shortcode',
    
    20
    
     
    
            'custom' => '',
    
     
    
    16
    
            'class' => '',
    
     
    
    17
    
            'value' => \_\_('Reset form', 'usp'),
    
     
    
    18
    
            'url'   => '#please-check-shortcode',
    
    21
    
    19
    
        ), $args));
    
    22
    
    20
    
       
    
    …
    
    …
    
     
    
    35
    
    33
    
        $class = empty($class) ? '' : ' class="'. esc\_attr($class) .'"';
    
    36
    
    34
    
       
    
    37
    
     
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"'. esc\_attr($custom) .'\>'. esc\_html($value) .'</a></p>';
    
     
    
    35
    
        $output = '<p'. $class .'><a href="'. esc\_url($href) .'"\>'. esc\_html($value) .'</a></p>';
    
    38
    
    36
    
       
    
    39
    
    37
    
        return $output;
    
*   **user-submitted-posts/trunk/readme.txt**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
    Requires at least: 4.6
    
    12
    
    12
    
    Tested up to: 6.3
    
    13
    
     
    
    Stable tag: 20230809
    
    14
    
     
    
    Version:    20230809
    
     
    
    13
    
    Stable tag: 20230811
    
     
    
    14
    
    Version:    20230811
    
    15
    
    15
    
    Requires PHP: 5.6.20
    
    16
    
    16
    
    Text Domain: usp
    
    …
    
    …
    
     
    
    819
    
    819
    
    820
    
    820
    
     
    
    821
    
    \*\*20230811\*\*
    
     
    
    822
    
     
    
    823
    
    \* Removes \`$custom\` variable from \`usp\_reset\_button\_shortcode()\`
    
     
    
    824
    
    \* Tests on WordPress 6.3
    
     
    
    825
    
    821
    
    826
    
    \*\*20230809\*\*
    
    822
    
    827
    
*   **user-submitted-posts/trunk/user-submitted-posts.php**
    
    r2951862
    
    r2952471
    
     
    
    11
    
    11
    
        Requires at least: 4.6
    
    12
    
    12
    
        Tested up to: 6.3
    
    13
    
     
    
        Stable tag: 20230809
    
    14
    
     
    
        Version:    20230809
    
     
    
    13
    
        Stable tag: 20230811
    
     
    
    14
    
        Version:    20230811
    
    15
    
    15
    
        Requires PHP: 5.6.20
    
    16
    
    16
    
        Text Domain: usp
    
    …
    
    …
    
     
    
    39
    
    39
    
    40
    
    40
    
    if (!defined('USP\_WP\_VERSION')) define('USP\_WP\_VERSION', '4.6');
    
    41
    
     
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230809');
    
     
    
    41
    
    if (!defined('USP\_VERSION'))    define('USP\_VERSION', '20230811');
    
    42
    
    42
    
    if (!defined('USP\_PLUGIN'))     define('USP\_PLUGIN', esc\_html\_\_('User Submitted Posts', 'usp'));
    
    43
    
    43
    
    if (!defined('USP\_FILE'))       define('USP\_FILE', plugin\_basename(\_\_FILE\_\_));
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-4308: Changeset 2952471 for user-submitted-posts – WordPress Plugin Repository

LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers.

CVE-2023-40518: LiteSpeed Web Server Release Log

The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.

CVE-2023-3601

The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.

CVE-2023-3435

The Custom Field For WP Job Manager WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-3328

The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVE-2023-2803

The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-2802

The WP Brutal AI WordPress plugin before 2.06 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Tag

#wordpress