WordPress Plugin Vulnerabilities

Chamber Dashboard Business Directory < 3.3.1 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise user input when creating or editing a business in the dashboard, allowing high privilege users (Editor+) to set XSS payloads in various fields.

Proof of Concept

Affects Plugins

Plugin icon
chamber-dashboard-business-directory
Fixed in 3.3.1

References

CVE
CVE-2020-24699
URL
https://l0l.xyz/sec/2020/08/31/1-wordpress-crm-xss.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
mihkelraba
Verified
Yes
WPVDB ID
271e9469-e746-4b50-ba41-7084218e693d

Timeline

Publicly Published
2020-08-31 (about 5 years ago)
Added
2020-09-08 (about 5 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-12-07
Title
Badgearoo <= 1.0.14 - Admin+ Stored XSS
Published
2026-01-25
Title
Omnipress <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
WCS QR Code Generator <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-27
Title
jAlbum Bridge < 2.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-23
Title
WP Helper Lite < 4.3 - Reflected Cross-Site Scripting