Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-0892

The BizLibrary WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE
Open in Source
#xss#wordpress
CVE-2023-0644

The Push Notifications for WordPress by PushAssist WordPress plugin through 3.0.8 does not sanitise and escape various parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVE-2023-1019

The Help Desk WP WordPress plugin through 1.2.0 does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks.

CVE-2023-23682: WordPress EZP Maintenance Mode plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Snap Creek Software EZP Maintenance Mode plugin <= 1.0.1 versions.

CVE-2023-0490

The f(x) TOC WordPress plugin through 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0520

The RapidExpCart WordPress plugin through 1.0 does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection means an attacker can trick a logged in admin to perform the attack by submitting a hidden form.

CVE-2023-0233

The ActiveCampaign WordPress plugin before 8.1.12 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

CVE-2023-23688: WordPress Social Share Boost plugin <= 4.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Sumo Social Share Boost plugin <= 4.4 versions.

CVE-2023-23683: WordPress White Label Branding for Elementor Page Builder plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ozan Canakli White Label Branding for Elementor Page Builder plugin <= 1.0.2 versions.

CVE-2023-23674: WordPress WP Original Media Path plugin <= 2.4.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in RVOLA WP Original Media Path plugin <= 2.4.0 versions.