WordPress Plugin Vulnerabilities

System Dashboard < 2.8.10 - XSS via Header Injection

Description

The plugin does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
system-dashboard
Fixed in 2.8.10

References

CVE
CVE-2023-7246
URL
https://research.cleantalk.org/cve-2023-7246/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
7413d5ec-10a7-4cb8-ac1c-4ef554751518

Timeline

Publicly Published
2024-02-28 (about 1 year ago)
Added
2024-02-28 (about 1 year ago)
Last Updated
2024-06-04 (about 1 year ago)

Other

Published
Title
Published
2017-04-14
Title
RSS Includes Pages <= 3.6 - XSS
Published
2025-03-31
Title
Flag Icons <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-03-15
Title
Slide Anything < 2.4.9 - Author+ Stored XSS
Published
2025-04-04
Title
Posts Footer Manager <= 2.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-04-02
Title
Social Share And Social Locker <= 1.4.1 - Reflected Cross-Site Scripting