WordPress Plugin Vulnerabilities

Ultimate Reviews < 3.0.16 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters available to high privilege users such as admin which could allow them to perform Cross-Site Scripting attacks woven when the unfiltered_html capability is disallowed

Affects Plugins

Plugin icon
ultimate-reviews
Fixed in 3.0.16

References

CVE
CVE-2022-23979

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
0b554c48-2483-4c32-9144-04b510e51151

Timeline

Publicly Published
2022-01-06 (about 4 years ago)
Added
2022-01-29 (about 4 years ago)
Last Updated
2022-04-09 (about 4 years ago)

Other

Published
Title
Published
2023-02-24
Title
All in One SEO Pack < 4.3.0 - Admin+ Stored XSS
Published
2023-10-29
Title
Simple Shortcodes <= 1.0.20 - Contributor+ Stored Cross-Site Scripting
Published
2015-10-03
Title
Quotes And Tips <= 1.19 - Cross-Site Scripting (XSS)
Published
2025-03-21
Title
WP Contact Form III <= 1.6.2d - Reflected Cross-Site Scripting
Published
2024-09-30
Title
Jeg Elementor Kit < 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting