WordPress Plugin Vulnerabilities

WP Zillow Review Slider < 2.4 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape a settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite)

Proof of Concept

Affects Plugins

Plugin icon
wp-zillow-review-slider
Fixed in 2.4

References

CVE
CVE-2022-1915

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
moresec
Submitter
moresec
Submitter website
https://github.com/Jamesusername
Verified
Yes
WPVDB ID
c3c28edf-19bc-4f3a-b58e-f1c67557aa29

Timeline

Publicly Published
2022-05-30 (about 3 years ago)
Added
2022-05-30 (about 3 years ago)
Last Updated
2023-02-26 (about 2 years ago)

Other

Published
Title
Published
2024-10-21
Title
AffiliateX < 1.2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-05-28
Title
Rezgo Online Booking < 1.8.2 - Multiple XSS
Published
2024-12-13
Title
Frontend Admin by DynamiApps < 3.25.1 - Unauthenticated Stored Cross-Site Scripting
Published
2025-01-27
Title
Oshine Modules < 3.3.8 - Reflected Cross-Site Scripting
Published
2024-09-30
Title
Zotpress < 7.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting