WordPress Plugin Vulnerabilities

Widget Settings Importer/Exporter <= 1.5.3 - Authenticated Stored XSS

Description

This flaw allowed an authenticated attacker with minimal, subscriber-level permissions to import and activate custom widgets containing arbitrary JavaScript into a site with the plugin installed.

Affects Plugins

Plugin icon
widget-settings-importexport
No known fix

References

URL
https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.4 (high)

Miscellaneous

Original Researcher
Ram Gall (wordfence)
Verified
No
WPVDB ID
97530dad-ab16-494b-b9a0-ba274139eed8

Timeline

Publicly Published
2020-04-15 (about 6 years ago)
Added
2020-04-15 (about 6 years ago)
Last Updated
2020-04-16 (about 6 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP eCommerce 3.8.9 - Cross-Site Scripting (XSS)
Published
2025-12-29
Title
Flaming Password Reset <= 1.0.3 - Unauthenticated Stored Cross-Site Scripting
Published
2023-06-05
Title
KiviCare Management System < 3.2.1 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
ClickBank Storefront WordPress Plugin <= 1.7 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
DobsonDev Shortcodes <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting