WordPress Plugin Vulnerabilities
Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Proof of Concept
Add/edit a Quote and put the following payload in the "Quote" and "Author" fields: <img src onerror=alert(/XSS/)>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Vishal Mohan
Submitter
Vishal Mohan
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-27 (about 2 years ago)
Added
2021-09-27 (about 2 years ago)
Last Updated
2022-04-14 (about 2 years ago)