WordPress Plugin Vulnerabilities

Lava Directory Manager <= 1.1.34 - Unauthenticated Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
lava-directory-manager
No known fix

References

CVE
CVE-2023-46081
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lava-directory-manager/lava-directory-manager-1134-unauthenticated-stored-cross-site-scripting-via-new-listing
URL
https://patchstack.com/database/vulnerability/lava-directory-manager/wordpress-lava-directory-manager-plugin-1-1-34-unauth-stored-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
7f9597c7-511f-4d72-848c-68ab7fcc0a5f

Timeline

Publicly Published
2023-10-16 (about 2 years ago)
Added
2023-10-27 (about 2 years ago)
Last Updated
2023-10-27 (about 2 years ago)

Other

Published
Title
Published
2024-01-09
Title
Community by PeepSo < 6.3.1.2 - Reflected XSS
Published
2025-09-22
Title
Ultimate Store Kit Elementor Addons < 2.8.7 - Contributor+ Stored XSS
Published
2024-03-25
Title
SEO Backlink Monitor < 1.6.0 - Reflected Cross-Site Scripting
Published
2025-05-20
Title
Raisely Donation Form < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode
Published
2024-12-04
Title
Accounting for WooCommerce < 1.6.7 - Reflected Cross-Site Scripting