WordPress Plugin Vulnerabilities

Andrea Pernici News Sitemap for Google <= 1.0.16 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
google-news-sitemap
No known fix

References

CVE
CVE-2021-36912

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
John Castro
Verified
No
WPVDB ID
646064ae-71f5-4628-9f05-b63c9daa9da3

Timeline

Publicly Published
2022-05-04 (about 4 years ago)
Added
2022-05-07 (about 4 years ago)
Last Updated
2022-05-08 (about 4 years ago)

Other

Published
Title
Published
2024-02-07
Title
Elementor Addons by Livemesh < 8.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-03-25
Title
FloristPress for Woo < 7.8.3 - Reflected Cross-Site Scripting via 'noresults' Parameter
Published
2016-09-06
Title
Advanced ads Management <= 1.3 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2024-10-14
Title
my flatonica <= 0.0.8 & my wooden under construction <= 2.0.7 - Reflected Cross-Site Scripting
Published
2019-05-25
Title
Hostel Plugin <= 1.1.3 - Unauthenticated Stored XSS