WordPress Plugin Vulnerabilities

Goods Catalog <= 2.4.1 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
goods-catalog
No known fix

References

CVE
CVE-2023-41687
URL
https://patchstack.com/database/vulnerability/goods-catalog/wordpress-goods-catalog-plugin-2-4-1-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
7f03f1c3-44b0-48aa-8600-9515ffb189c6

Timeline

Publicly Published
2023-09-04 (about 2 years ago)
Added
2023-09-29 (about 2 years ago)
Last Updated
2023-09-29 (about 2 years ago)

Other

Published
Title
Published
2024-12-20
Title
Shortcodes and extra features for Phlox theme < 2.17.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget
Published
2024-05-07
Title
Gold Addons for Elementor < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2017-09-26
Title
WP Jobs < 1.7 - XSS
Published
2024-11-08
Title
SimpleGMaps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-23
Title
Extra Product Options Builder for WooCommerce < 1.2.134 - Unauthenticated Stored Cross-Site Scripting