Restrict Usernames Emails Characters Plugin < 3.1.4 – Admin+ Stored XSS | CVE 2023-6165 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

1. Access the "Restrict Usernames Emails Characters" settings
2. For the field "The name of the user_login field in registration form", enter the payload `"><img src=1 onerror=alert(/xss/)>`
3. Click "Save Changes" and see the XSS.

Affects Plugins

restrict-usernames-emails-characters

Fixed in 3.1.4

References

CVE

URL

https://github.com/youki992/youki992.github.io/blob/master/others/apply2.md

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Yuhang Liu

Submitter

Yuhang Liu

Verified

Yes

WPVDB ID

aba62286-9a82-4d5b-9b47-1fddde5da487

Timeline

Publicly Published

2024-01-05 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-05 (about 2 years ago)

Other

Published

Title

Published

2024-12-11

Title

LDD Directory Lite <= 3.3 - Reflected Cross-Site Scripting

Published

2016-09-10

Title

MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2025-01-16

Title

Custom Coming Soon <= 2.2 - Reflected Cross-Site Scripting

Published

2022-07-18

Title

DW Promobar <= 1.0.4 - Admin+ Stored Cross-Site Scripting

Published

2025-07-17

Title

Universal Video Player - Addon for WPBakery Page Builder < 3.2.2.0 - Reflected Cross-Site Scripting