WordPress Plugin Vulnerabilities

My Content Management < 1.7.7 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
my-content-management
Fixed in 1.7.7

References

CVE
CVE-2023-34377

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
a44bc190-307f-4150-8043-63dfa10c1065

Timeline

Publicly Published
2023-06-30 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2025-07-01
Title
Beautiful Cookie Consent Banner < 4.6.2 - Reflected Cross-Site Scripting
Published
2025-02-03
Title
Upcasted S3 Offload – AWS S3, Digital Ocean Spaces, Backblaze, Minio and more < 3.0.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2026-03-17
Title
Post SMTP < 3.9.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type'
Published
2025-03-03
Title
AFI < 1.100.0 - Admin+ Stored XSS
Published
2024-12-03
Title
Flower Delivery by Florist One < 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting