WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Page Restriction WordPress < 1.2.7 - Admin+ Stored Cross-Site Scripting

Description

The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.

Proof of Concept

In Page/Post Access tab, Use XSS Payload as "><script>alert('XSS')</script> in any of the pages available.

XSS will be triggered at the plugin's admin panel.

Affects Plugins

page-and-post-restriction
Fixed in version 1.2.7

References

CVE
CVE-2022-1027

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Niraj Mahajan

Submitter

Niraj Mahajan

Submitter website
https://www.linkedin.com/in/niraj1mahajan/
Submitter twitter
niraj1mahajan
Verified

Yes

WPVDB ID
9dbb0d6d-bc84-4b85-8aa5-fa2a8e6fa5e3

Timeline

Publicly Published

2022-04-01 (about 8 months ago)

Added

2022-04-01 (about 8 months ago)

Last Updated

2022-04-09 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin