WordPress Plugin Vulnerabilities

WP Default Feature Image <= 1.0.1.1 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-default-feature-image
No known fix

References

CVE
CVE-2023-25488

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Nithissh S
Verified
No
WPVDB ID
5dcc836f-0c2c-45ff-affe-916d3e126d3a

Timeline

Publicly Published
2023-09-01 (about 2 years ago)
Added
2023-09-18 (about 2 years ago)
Last Updated
2023-09-18 (about 2 years ago)

Other

Published
Title
Published
2026-01-06
Title
WP Widget Changer <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Published
2023-01-20
Title
WP Time Slots Booking Form < 1.1.82 - Admin+ Stored XSS
Published
2025-01-14
Title
ViewMedica 9 < 1.4.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-03
Title
Studiocart <= 2.9.0 - Reflected XSS
Published
2023-06-19
Title
TinyMCE Custom Styles < 1.1.4 - Admin+ Stored Cross-Site Scripting