WordPress Plugin Vulnerabilities

Copify <= 1.3.0 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF when updating its settings, and it also missing sanitisation as well as escaping in some of them. This could allow attackers to make a logged in admin update them and put Stored Cross-Site Scripting payloads in them

Affects Plugins

Plugin icon
copify
No known fix

References

CVE
CVE-2022-1900

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Yuki Hoshi, Cryptography Laboratory in Tokyo Denki University
Verified
Yes
WPVDB ID
5cad0b71-f3e4-4797-9c9e-5bb390b03878

Timeline

Publicly Published
2022-06-08 (about 3 years ago)
Added
2022-06-08 (about 3 years ago)
Last Updated
2023-03-10 (about 3 years ago)

Other

Published
Title
Published
2022-11-02
Title
4ECPS Web Forms <= 0.2.17 - Admin+ Stored XSS
Published
2026-02-13
Title
PowerPress Podcasting < 11.15.14 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2024-06-17
Title
Excellent < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-14
Title
Product Carousel For WooCommerce < 1.1.1 - Contributor+ Stored XSS
Published
2024-03-15
Title
HT Easy GA4 ( Google Analytics 4 ) < 1.1.8 - Reflected Cross-Site Scripting