WordPress Plugin Vulnerabilities

BuddyBoss Media <= 3.2.3 - Stored XSS

Description

The album description does not perform input / output validation.

According to the researcher:

No reply from vendor. Issue not patched. Vulnerability can be exploited by any user. Form not vulnerable to CSRF.

Proof of Concept

Affects Plugins

Plugin icon
buddyboss-media
No known fix

References

CVE
CVE-2018-21014
URL
https://www.buddyboss.com/product/buddyboss-media/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Submitter
ozzi
Submitter twitter
ozzi_____
Verified
No
WPVDB ID
4ea10862-6adb-4319-8a44-a89eb2cf3e49

Timeline

Publicly Published
2018-01-17 (about 8 years ago)
Added
2018-01-22 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-07-17
Title
Bubble Menu < 3.0.5 - Admin+ Stored XSS
Published
2021-06-25
Title
Event Espresso Core < 4.10.7.p - Reflected Cross-Site Scripting (XSS)
Published
2024-06-06
Title
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library < 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-22
Title
WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
Published
2024-09-30
Title
Jeg Elementor Kit < 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting