WordPress Plugin Vulnerabilities

WP Mail Catcher < 2.1.3 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not adequately sanitize input or escape output in the email subject, which could lead to the injection of arbitrary web scripts.

Affects Plugins

Plugin icon
wp-mail-catcher
Fixed in 2.1.3

References

CVE
CVE-2023-3080
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1525e1c9-4b94-4f9f-92c5-fc69fe000771

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
608422ae-efb4-41bb-81cb-d7f88da09d55

Timeline

Publicly Published
2023-06-09 (about 2 years ago)
Added
2023-07-12 (about 2 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2024-08-23
Title
Custom Permalinks < 2.7.0 - Authenticated(Editor+) Stored Cross-Site Scripting
Published
2023-11-03
Title
Comments Ratings <= 1.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-01-16
Title
CC Circle Progress Bar <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-06
Title
Posts List Designer by Category < 3.2 - Contributor+ Stored XSS via Shortcode
Published
2025-01-06
Title
Woo Ukrposhta < 1.18.0 - Reflected Cross-Site Scripting via order, post, and idd Parameters