WordPress Plugin Vulnerabilities
Inspirational Quote Rotator <= 1.0.0 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed
Proof of Concept
Add/edit a quote (/wp-admin/options-general.php?page=iqr-settings) and put the following payload in the Title or Content: <script>alert(/XSS/)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Vishal Mohan
Submitter
Vishal Mohan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)