WordPress Plugin Vulnerabilities

Don8 <= 0.4 - Admin+ Stored XSS

Description

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Affects Plugins

Plugin icon
don8
No known fix

References

CVE
CVE-2023-32582
URL
https://patchstack.com/database/vulnerability/don8/wordpress-don8-plugin-0-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Yash Kanchhal
Verified
No
WPVDB ID
61850bfa-40f5-4d86-8400-0dc00671edac

Timeline

Publicly Published
2023-06-03 (about 2 years ago)
Added
2023-06-04 (about 2 years ago)
Last Updated
2023-06-04 (about 2 years ago)

Other

Published
Title
Published
2022-08-30
Title
WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
Published
2025-01-16
Title
Simple Vertical Timeline <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-10-18
Title
Active Directory Integration / LDAP Integration < 3.6.95 - Reflected Cross-Site Scripting
Published
2015-04-20
Title
Two Factor Authentication < 1.1.10 - XSS
Published
2025-04-17
Title
Bulk Page Stub Creator < 1.2 - Reflected Cross-Site Scripting