WordPress Plugin Vulnerabilities

Limit Bio <= 1.0 - Stored XSS via CSRF

Description

The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
limit-bio
No known fix

References

CVE
CVE-2025-1436

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
849ed0a0-be17-43cf-a3a1-ad54dfb33d57

Timeline

Publicly Published
2025-02-20 (about 10 months ago)
Added
2025-02-20 (about 10 months ago)
Last Updated
2025-02-20 (about 10 months ago)

Other

Published
Title
Published
2023-09-25
Title
Testimonial Slider Shortcode < 1.1.9 - Contributor+ Stored XSS
Published
2024-09-24
Title
Simple Calendar – Google Calendar Plugin < 3.4.3 - Reflected Cross-Site Scripting
Published
2025-01-03
Title
Piotnet Addons For Elementor < 2.4.32 - Contributor+ Stored XSS
Published
2022-08-29
Title
Slickr Flickr <= 2.8.1 - Admin+ Stored Cross-Site Scripting
Published
2022-03-14
Title
Members List < 4.3.7 - Reflected Cross-Site Scripting