WordPress Plugin Vulnerabilities

We’re Open! < 1.38 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
opening-hours
Fixed in 1.38

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Verified
No
WPVDB ID
664481f2-efca-4f58-896d-a266ac7a5760

Timeline

Publicly Published
2022-09-09 (about 3 years ago)
Added
2023-06-14 (about 2 years ago)
Last Updated
2023-06-14 (about 2 years ago)

Other

Published
Title
Published
2025-01-03
Title
Media Library Assistant < 3.24 - Reflected Cross-Site Scripting via smc_settings_tab, unattachfixit-action, and woofixit-action Parameters
Published
2024-10-08
Title
Auto iFrame < 1.8 - Authenticated (Author+) Stored Cross-Site Scripting via tag Parameter
Published
2023-06-26
Title
Conditional extra fees for WooCommerce < 1.0.97 - Admin+ Stored XSS
Published
2026-03-17
Title
Code Embed < 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
Published
2025-05-19
Title
Cost Calculator Builder < 3.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting