WordPress Plugin Vulnerabilities

Student Result or Employee Database < 1.7.5 - Stored Cross Site Scripting via CSRF

Description

The plugin does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting

Proof of Concept

Affects Plugins

Plugin icon
simple-student-result
Fixed in 1.7.5

References

CVE
CVE-2022-2312

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Submitter
Vinay Varma Mudunuri
Verified
Yes
WPVDB ID
7548c1fb-77b5-4290-a297-35820edfe0f8

Timeline

Publicly Published
2022-08-01 (about 3 years ago)
Added
2022-08-01 (about 3 years ago)
Last Updated
2023-04-28 (about 2 years ago)

Other

Published
Title
Published
2024-12-23
Title
Responsive Blocks – WordPress Gutenberg Blocks < 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-06
Title
Royal Elementor Addons and Templates < 1.3.92 - Authenticated (Contributor+) Stored Cross-Site Scripting via Logo Widget
Published
2025-04-17
Title
Gravity Forms CSS Themes with Fontawesome and Placeholders <= 8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-02-23
Title
GDPR Cookie Compliance < 4.15.9 - Admin+ Stored XSS
Published
2024-08-28
Title
Premium Portfolio Features for Phlox theme < 2.3.5 - Contributor+ Stored XSS