WordPress Plugin Vulnerabilities

Post Connector < 1.0.10 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Affects Plugins

Plugin icon
post-connector
Fixed in 1.0.10

References

CVE
CVE-2023-28931

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Juampa Rodríguez
Verified
Yes
WPVDB ID
7f9f21f6-9aff-4c8b-9a23-9e74b6d9e1ce

Timeline

Publicly Published
2023-07-20 (about 2 years ago)
Added
2023-08-09 (about 2 years ago)
Last Updated
2023-08-21 (about 2 years ago)

Other

Published
Title
Published
2023-06-30
Title
WPFactory Helper < 1.5.3 - Reflected Cross-Site Scripting
Published
2024-04-18
Title
Newspaper < 12.6.6 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Meta
Published
2022-01-24
Title
Anti-Malware Security and Brute-Force Firewall < 4.20.94 - Admin+ Reflected Cross-Site Scripting
Published
2025-02-18
Title
Royal Elementor Addons and Templates < 1.7.1008 - Reflected XSS
Published
2022-06-14
Title
XO Slider < 3.3.3 - Contributor+ Stored Cross-Site Scripting