WordPress Plugin Vulnerabilities

WP-CORS < 0.2.2 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-cors
Fixed in 0.2.2

References

CVE
CVE-2022-47606

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Justiice
Verified
No
WPVDB ID
6ad7bfad-6f70-4a93-b0e3-3639f1f2bf76

Timeline

Publicly Published
2023-04-28 (about 3 years ago)
Added
2023-05-10 (about 3 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2025-01-31
Title
Site Search 360 < 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-01
Title
Custom post type templates for Elementor < 1.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-06-14
Title
10Web Map Builder for Google Maps < 1.0.70 - Authenticated Stored XSS
Published
2016-06-21
Title
WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
Published
2023-12-27
Title
Custom Post Carousels with Owl < 1.4.7 - Authenticated (Editor+) Stored Cross-Site Scripting