WordPress Plugin Vulnerabilities

Shield Security < 17.0.18 - Unauthenticated Stored XSS

Description

The plugin does not escape the User Agent header retrieved via audit log records, which could allow unauthenticated attackers to perform Stored XSS attacks

Affects Plugins

Plugin icon
wp-simple-firewall
Fixed in 17.0.18

References

CVE
CVE-2023-0992
URL
https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-shield-security/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
9215e435-35a5-4f77-ab35-5c7ce0ffb52d

Timeline

Publicly Published
2023-04-25 (about 2 years ago)
Added
2023-04-25 (about 2 years ago)
Last Updated
2023-04-25 (about 2 years ago)

Other

Published
Title
Published
2022-05-03
Title
VikBooking < 1.5.9 - Reflected Cross-Site Scripting
Published
2024-07-06
Title
WP Cookie Law Info <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2014-10-07
Title
Titan Framework 1.0.1-1.5.2 - Reflected Cross-Site Scripting (XSS)
Published
2023-08-29
Title
Social Media & Share Icons < 2.8.4 - Reflected XSS
Published
2019-08-20
Title
Variation Swatches for WooCommerce < 1.0.62 - Reflected XSS