WordPress Plugin Vulnerabilities

Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect

Description

The plugin does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain.

Proof of Concept

Affects Plugins

Plugin icon
accesspress-anonymous-post
No known fix

References

CVE
CVE-2022-4946

Classification

Type
REDIRECT
OWASP top 10
A1: Injection
CWE
CWE-601
CVSS
2.7 (low)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
6e222018-a3e0-4af0-846c-6f00b67dfbc0

Timeline

Publicly Published
2023-05-11 (about 2 years ago)
Added
2023-05-11 (about 2 years ago)
Last Updated
2023-05-11 (about 2 years ago)

Other

Published
Title
Published
2019-10-21
Title
Bridge Theme < 18.2.1 - Open Redirect
Published
2023-10-27
Title
Seraphinite Accelerator < 2.2.29 - Authenticated Arbitrary Redirect
Published
2023-10-06
Title
affiliate-toolkit – WordPress Affiliate Plugin < 3.4.0 - Open Redirect via atkpout.php
Published
2024-08-09
Title
Easy PayPal Buy Now Button < 1.9.1 - Unauthenticated Open Redirect
Published
2024-10-24
Title
Sunshine Photo Cart < 3.2.11 - Open Redirect