WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payload in the Custom DB Prefix settings of the plugin: Books_n_Papers" style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

books-papers
No known fix - plugin closed

References

CVE
CVE-2022-1156

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

fuzzyap1

Submitter

fuzzyap1

Verified

Yes

WPVDB ID
76ad4273-6bf4-41e9-99a8-bf6d634608ac

Timeline

Publicly Published

2022-03-29 (about 1 years ago)

Added

2022-03-29 (about 1 years ago)

Last Updated

2022-04-13 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin