WordPress Plugin Vulnerabilities

KJM Admin Notices <= 2.0.1 - Admin+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/class-kjm-admin-notices-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Plugin icon
kjm-admin-notices
No known fix

References

CVE
CVE-2021-39344
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39344

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Thinkland Security Team
Verified
No
WPVDB ID
18997e01-1641-4b92-a60b-8d64130a201e

Timeline

Publicly Published
2021-10-14 (about 4 years ago)
Added
2021-10-15 (about 4 years ago)
Last Updated
2022-04-10 (about 4 years ago)

Other

Published
Title
Published
2023-05-11
Title
Owl Carousel <= 0.5.3 - Contributor+ Stored Cross-Site Scripting via shortcode
Published
2024-03-28
Title
Jobeleon Theme < 1.9.2 - Reflected Cross-Site Scripting
Published
2015-08-25
Title
Job Manager <= 0.7.24 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2025-01-14
Title
Tag Groups is the Advanced Way to Display Your Taxonomy Terms < 2.0.5 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
Brand my Footer <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting