WordPress Plugin Vulnerabilities

PDQ CSV < 2.0.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Affects Plugins

Plugin icon
pdq-csv
Fixed in 2.0.0

References

CVE
CVE-2023-31221
URL
https://patchstack.com/database/vulnerability/pdq-csv/wordpress-pdq-csv-plugin-1-0-0-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Gaurav Bhosale
Verified
Yes
WPVDB ID
445702f6-d7ac-4931-98f0-56e732512602

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-08-09 (about 2 years ago)
Last Updated
2024-01-15 (about 2 years ago)

Other

Published
Title
Published
2024-12-06
Title
WP-SVG <= 0.9 - Contributor+ Stored XSS via Shortcode
Published
2024-05-24
Title
Similarity <= 3.0 - Stored XSS via CSRF
Published
2024-07-08
Title
Ultimate Blocks < 3.2.0 - Contributor+ Stored XSS
Published
2024-06-06
Title
TemplatesNext OnePager <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-15
Title
Edwiser Bridge < 3.0.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting