WordPress Plugin Vulnerabilities

PublishPress Editorial Calendar < 3.5.1 - Reflected Cross-Site Scripting

Description

The plugin does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
publishpress
Fixed in 3.5.1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
24bd8238-1b3f-4f9f-861d-978c6b80e1c1

Timeline

Publicly Published
2021-09-06 (about 4 years ago)
Added
2021-09-06 (about 4 years ago)
Last Updated
2021-09-06 (about 4 years ago)

Other

Published
Title
Published
2024-03-26
Title
Elementor Website Builder Pro < 3.20.2 - Authententicated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-24
Title
Build <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-02
Title
Vayu Blocks < 1.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes
Published
2025-03-11
Title
wordpress login form to anywhere <= 0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-04-09
Title
Gutenberg 12.9.0 - 18.0.0 - Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block