WordPress Plugin Vulnerabilities

Article Directory <= 1.3 - Admin+ Stored XSS

Description

The plugin does not properly sanitize the `publish_terms_text` setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts.

Proof of Concept

Affects Plugins

Plugin icon
article-directory
No known fix

References

CVE
CVE-2023-0422

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Shreya Pohekar
Submitter
Shreya Pohekar
Submitter website
https://shreyapohekar.com
Submitter twitter
shreyapohekar
Verified
Yes
WPVDB ID
d57f2fb2-5251-4069-8c9a-a4af269c5e62

Timeline

Publicly Published
2023-03-17 (about 2 years ago)
Added
2023-03-17 (about 2 years ago)
Last Updated
2023-03-17 (about 2 years ago)

Other

Published
Title
Published
2023-10-16
Title
WooCommerce PDF Invoice Builder < 1.2.104 - Reflected XSS
Published
2014-08-01
Title
Download Manager <= 2.2.2 - admin.php cid Parameter XSS
Published
2024-04-09
Title
WP < 6.5.2 - Unauthenticated Stored XSS
Published
2025-01-16
Title
Tax Report for WooCommerce <= 2.2 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
java-trackback <= 0.2 - XSS in ZeroClipboard