WordPress Plugin Vulnerabilities

Recall Products <= 0.8 - Authenticated Cross-Site Scripting

Description

The stored XSS will occur when creating a new manufacturer by clicking the "add new" tab and providing a XSS payload as the manufacturer name. This payload will then be executed whenever a user visits the "manufacturer" tab.

Affects Plugins

Plugin icon
recall-products
No known fix

References

CVE
CVE-2020-25380
URL
https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
ZeroAptitude
Verified
No
WPVDB ID
47748553-96e3-428d-a7bc-90ec91e85985

Timeline

Publicly Published
2020-08-31 (about 5 years ago)
Added
2020-08-31 (about 5 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2021-07-14
Title
Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2014-08-01
Title
ShrimpTest 1.0b2 - admin/experiment-new.php Multiple Unspecified XSS
Published
2023-10-20
Title
Add Custom Body Class <= 1.4.1 - Contributor+ Stored Cross-Site Scripting
Published
2021-06-16
Title
Backup by 10Web <= 1.0.20 - Reflected Cross-Site Scripting (XSS)
Published
2025-01-23
Title
Precious Metals Charts and Widgets for WordPress < 1.2.9 - Authenticated (Contributor+) Stored Cross-site Scripting