WordPress Plugin Vulnerabilities

Order Delivery Date for WP e-Commerce <= 1.2 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
order-delivery-date
Fixed in 1.3

References

CVE
CVE-2023-41859
URL
https://patchstack.com/database/wordpress/plugin/order-delivery-date/vulnerability/wordpress-order-delivery-date-for-wp-e-commerce-plugin-1-2-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
474ec644-79b3-4285-b16f-1e37c1ea22dd

Timeline

Publicly Published
2023-10-02 (about 2 years ago)
Added
2023-10-02 (about 2 years ago)
Last Updated
2026-04-09 (about 1 month ago)

Other

Published
Title
Published
2024-06-11
Title
Sitetweet <= 0.2 - Stored XSS via CSRF
Published
2024-07-19
Title
Gutenverse < 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-08-25
Title
Simple Fields <= 1.4.10 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2024-05-02
Title
Flattr <= 1.2.2 - Admin+ Stored XSS
Published
2024-09-30
Title
DK PDF < 1.9.7 - Reflected Cross-Site Scripting