WordPress Plugin Vulnerabilities

GD bbPress Attachments < 4.4 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
gd-bbpress-attachments
Fixed in 4.4

References

CVE
CVE-2022-45816

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
bb59f0df-b354-4b73-84c5-d582f00ce617

Timeline

Publicly Published
2022-12-05 (about 3 years ago)
Added
2022-12-06 (about 3 years ago)
Last Updated
2022-12-06 (about 3 years ago)

Other

Published
Title
Published
2017-11-08
Title
Simple Membership < 3.5.7 - XSS
Published
2024-11-04
Title
TeleAdmin <= 1.0.0 - Reflected Cross-Site Scripting
Published
2024-06-22
Title
Seriously Simple Podcasting < 3.3.0 - Admin+ Stored XSS
Published
2024-04-12
Title
Short URL <= 1.6.8 - Reflected Cross-Site Scripting
Published
2018-12-02
Title
Contact Form by WPForms < 1.4.8 - Authenticated Stored Cross-Site Scripting (XSS)