WordPress Plugin Vulnerabilities
CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Proof of Concept
Put the following payloads in the "License ID" setting of the plugin and save: "><script>alert(/XSS/)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shweta Mahajan
Submitter
Shweta Mahajan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-02 (about 2 years ago)
Added
2022-02-02 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)