WordPress Plugin Vulnerabilities

Recently < 3.0.5 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not properly sanitise or escape its default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
recently
Fixed in 3.0.5

References

URL
https://plugins.trac.wordpress.org/changeset/2542693

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Yu Iwama of Secure Sky Technology Inc. and the JPCERT/CC Vulnerability Coordination Group
Verified
Yes
WPVDB ID
5909430c-6b7f-4be6-869e-6ab8468b8ca3

Timeline

Publicly Published
2021-06-07 (about 4 years ago)
Added
2021-06-07 (about 4 years ago)
Last Updated
2021-06-07 (about 4 years ago)

Other

Published
Title
Published
2022-04-21
Title
VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ Stored Cross-Site Scripting
Published
2025-04-01
Title
SMM API <= 6.0.31 - Unauthenticated Stored Cross-Site Scripting
Published
2025-12-30
Title
Team Showcase < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2012-05-15
Title
Survey And Quiz Tool <= 2.9.2 - Cross Site Scripting
Published
2025-01-06
Title
WPBITS Addons For Elementor Page Builder < 1.6 - Authenticated (Author+) Stored Cross-Site Scripting