WordPress Plugin Vulnerabilities

WP Smart CRM & Invoices FREE <= 1.8.7 - Authenticated Stored Cross-Site Scripting

Description

Multiple fields from the customer model, such as The Business Name and Tax Code, are affected by stored cross-site scripting issues.

Affects Plugins

Plugin icon
wp-smart-crm-invoices-free
No known fix

References

CVE
CVE-2020-25375
URL
https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
ZeroAptitude
Verified
No
WPVDB ID
cc5c3ac7-f851-4693-8b15-33a12127c016

Timeline

Publicly Published
2020-08-31 (about 5 years ago)
Added
2020-08-31 (about 5 years ago)
Last Updated
2020-09-16 (about 5 years ago)

Other

Published
Title
Published
2020-08-31
Title
Subscribe Sidebar <= 1.3.1 - Authenticated Reflected Cross-Site Scripting
Published
2023-06-08
Title
Metform Elementor Contact Form Builder < 3.3.1 - Multiple Contributor+ Stored XSS via Shortcode
Published
2012-05-15
Title
Sharebar <= 1.2.1 - SQL Injection & Cross-Site Scripting (XSS)
Published
2024-03-25
Title
Photo Gallery by Ays < 5.5.3 - Reflected Cross-Site Scripting
Published
2025-01-29
Title
Simple:Press Forum < 6.10.12 - Reflected Cross-Site Scripting