WordPress Plugin Vulnerabilities

WxSync < 2.8.1 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wxsync
Fixed in 2.8.1

References

CVE
CVE-2023-39988
URL
https://patchstack.com/database/wordpress/plugin/wxsync/vulnerability/wordpress-wxsync-plugin-2-7-23-cross-site-scripting-xss

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
242556ae-fa29-4961-afe6-7a8421d90450

Timeline

Publicly Published
2023-09-04 (about 2 years ago)
Added
2023-09-18 (about 2 years ago)
Last Updated
2025-03-18 (about 1 year ago)

Other

Published
Title
Published
2022-05-03
Title
StaffList < 3.1.6 - Reflected Cross-Site Scripting
Published
2024-10-25
Title
Poll Maker – Versus Polls, Anonymous Polls, Image Polls < 5.4.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings
Published
2023-11-02
Title
SEO Slider < 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-08-16
Title
Bravada < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-10
Title
WP Pipes < 1.4.2 - Reflected Cross-Site Scripting via x1 Parameter