The plugin does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability.
- Log on to the site using a subscriber account. - On the page the shortcode is rendered, click on "Why not add your own race result?" - In the "Event Name" field, enter "><img src=x onerror=alert(1)// >, and fill in & submit the rest of the form. - As an administrator, visit /wp-admin/admin.php?page=wp-athletics-manage-results
Wejdan Alomari
Wejdan Alomari
Yes
2022-05-17 (about 2 months ago)
2022-05-17 (about 2 months ago)
2022-05-18 (about 2 months ago)