WordPress Plugin Vulnerabilities

WP htaccess Control <= 3.5.1 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-htaccess-control
No known fix

References

CVE
CVE-2023-25462

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
93cd7397-06a1-451a-9cbe-55b13ddf0832

Timeline

Publicly Published
2023-05-18 (about 2 years ago)
Added
2023-08-30 (about 2 years ago)
Last Updated
2023-08-30 (about 2 years ago)

Other

Published
Title
Published
2024-12-09
Title
iChart – Easy Charts and Graphs < 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Published
2025-07-17
Title
JetBlog < 2.4.4.1 - Reflected Cross-Site Scripting
Published
2022-10-12
Title
AB Press Optimizer <= 1.1.1 - Admin+ Stored Cross-Site Scripting
Published
2024-12-02
Title
Spectra – WordPress Gutenberg Blocks < 2.16.3 - Contributor+ Stored XSS via Team Widget
Published
2025-02-17
Title
Simplebooklet PDF Viewer and Embedder < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting