WordPress Plugin Vulnerabilities
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
Proof of Concept
Put the following payload in the "Folder for new files" and "Maximum size of uploaded file" settings of the plugin: "><script>alert(/XSS/)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shivam Rai
Submitter
Shivam Rai
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-15 (about 2 years ago)
Added
2021-09-15 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)