WordPress Plugin Vulnerabilities

Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Title

Description

The plugin does not sanitise and escape post/page Title, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
visualcomposer
Fixed in 45.0.1

References

CVE
CVE-2022-2516

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Zhouyuan Yang
Verified
Yes
WPVDB ID
287bdd2e-2b0a-4276-b44f-77dda5f3e227

Timeline

Publicly Published
2022-08-29 (about 3 years ago)
Added
2022-08-30 (about 3 years ago)
Last Updated
2022-09-02 (about 3 years ago)

Other

Published
Title
Published
2024-11-08
Title
Pro Addons For Elementor < 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-04-02
Title
ULeak Security & Monitoring <= 1.2.3 - Subscriber+ Stored Cross-Site Scripting
Published
2022-08-22
Title
WBW Currency Switcher for WooCommerce < 1.6.6 - Admin+ Stored XSS
Published
2022-12-15
Title
Post Status Notifier Lite < 1.10.1 - Reflected XSS
Published
2024-04-16
Title
Knight Lab Timeline <= 3.9.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting