WordPress Plugin Vulnerabilities

Evergreen Content Poster < 1.4.1 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
evergreen-content-poster
Fixed in 1.4.1

References

CVE
CVE-2023-41127
URL
https://patchstack.com/database/vulnerability/evergreen-content-poster/wordpress-evergreen-content-poster-plugin-1-3-6-1-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
DoYeon Park (p6rkdoye0n)
Verified
No
WPVDB ID
140219b6-cc6f-45e4-9f36-96477b9335b8

Timeline

Publicly Published
2023-11-27 (about 2 years ago)
Added
2023-12-02 (about 2 years ago)
Last Updated
2024-03-25 (about 2 years ago)

Other

Published
Title
Published
2024-03-26
Title
WP-Lister Lite for Amazon < 2.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2014-11-10
Title
Shareaholic 7.6.0.3 - XSS
Published
2023-04-03
Title
Product page shipping calculator for WooCommerce < 1.3.21 - Admin+ Stored XSS
Published
2022-01-12
Title
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting
Published
2024-06-18
Title
Ultimate Blocks – WordPress Blocks Plugin < 3.1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox