WordPress Plugin Vulnerabilities

Nested Pages < 3.2.7 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-nested-pages
Fixed in 3.2.7

References

CVE
CVE-2023-49195
URL
https://patchstack.com/database/vulnerability/wp-nested-pages/wordpress-nested-pages-plugin-3-2-6-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
b1d622f3-591d-4e55-bd07-c70ea6a72493

Timeline

Publicly Published
2023-12-01 (about 2 years ago)
Added
2023-12-07 (about 2 years ago)
Last Updated
2024-01-08 (about 2 years ago)

Other

Published
Title
Published
2024-06-03
Title
Event Tickets with Ticket Scanner < 2.3.2 - Reflected Cross-Site Scripting
Published
2024-08-26
Title
YellowPencil Visual CSS Style Editor < 7.6.4 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com <= 3.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2022-12-23
Title
WP Spell Check < 9.13 - Ignored Word Deletion via CSRF
Published
2023-09-04
Title
Atarim < 3.9.4 - Admin+ Stored XSS