WordPress Plugin Vulnerabilities

CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Proof of Concept

Affects Plugins

Plugin icon
cp-blocks
Fixed in 1.0.15

References

CVE
CVE-2022-0448

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Shweta Mahajan
Submitter
Shweta Mahajan
Verified
Yes
WPVDB ID
d4ff63ee-28e6-486e-9aa7-c878b97f707c

Timeline

Publicly Published
2022-02-02 (about 3 years ago)
Added
2022-02-02 (about 3 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2022-09-26
Title
Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting
Published
2024-10-21
Title
Risk Warning Bar <= 1.0 - Reflected Cross-Site Scripting
Published
2024-06-11
Title
Download Manager < 3.2.87 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Published
2024-11-13
Title
Gameplan <= 1.5.10 - Reflected Cross-Site Scripting
Published
2024-05-20
Title
WP Next Post Navi <= 1.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting