WordPress Plugin Vulnerabilities
WP Quick FrontEnd Editor <= 5.5 - Authenticated Settings Change leading to Stored XSS
Description
The AJAX action la_save_front_editor lacks any capability and CSRF checks, allowing low privilege users to modify the plugin's settings. Due to the lack of sanitisation on some settings, this could lead to a Stored XSS issue as well which will be triggered when a user is logged in
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-01-12 (about 3 years ago)
Added
2021-01-12 (about 3 years ago)
Last Updated
2021-01-13 (about 3 years ago)