WordPress Plugin Vulnerabilities

All in One SEO Pack < 4.3.0 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape multiple parameters, which could allow high privilege users such as admin to perform Stored XSS attacks even when unfiltered_html is disallowed

Affects Plugins

Plugin icon
all-in-one-seo-pack
Fixed in 4.3.0

References

CVE
CVE-2023-0585

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.1 (low)

Miscellaneous

Original Researcher
Marco Wotschka, Ivan Kuzymchak
Verified
No
WPVDB ID
3ace429e-42a8-4b1b-8a39-5262f289cbd9

Timeline

Publicly Published
2023-02-24 (about 3 years ago)
Added
2023-02-24 (about 3 years ago)
Last Updated
2023-02-24 (about 3 years ago)

Other

Published
Title
Published
2023-02-02
Title
Arigato Autoresponder and Newsletter < 2.1.7.2 - Contributor+ Stored XSS
Published
2021-05-17
Title
Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS
Published
2023-09-26
Title
flowpaper < 2.0.4 - Contributor+ Stored XSS
Published
2024-02-29
Title
Visual Composer Premium < 45.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-10
Title
WP-OAuth <= 0.4.1 - Reflected Cross-Site Scripting