WordPress Plugin Vulnerabilities

Indeed Job Importer <= 1.0.5 - Admin+ Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/indeed-job-importer/trunk/indeed-job-importer.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

Plugin icon
indeed-job-importer
No known fix

References

CVE
CVE-2021-39355
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39355

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Thinkland Security Team
Verified
No
WPVDB ID
8ddf81f6-b0be-4f66-b9d7-589b83950e46

Timeline

Publicly Published
2021-10-15 (about 4 years ago)
Added
2021-10-16 (about 4 years ago)
Last Updated
2022-04-15 (about 4 years ago)

Other

Published
Title
Published
2024-05-20
Title
Simple Popup Manager <= 1.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2022-12-24
Title
Easy Bootstrap Shortcode <= 4.5.4 - Contributor+ Stored XSS
Published
2024-03-25
Title
Church Admin < 4.1.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text
Published
2024-03-26
Title
Elementor Website Builder – More than Just a Page Builder < 3.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation
Published
2012-08-10
Title
Quick Post Widget 1.9.1 - Multiple Cross-Site Scripting (XSS)