WordPress Plugin Vulnerabilities

Archivist - Custom Archive Templates < 1.7.5 - Stored XSS via CSRF

Description

The plugin does not have CSRF when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

Affects Plugins

Plugin icon
archivist-custom-archive-templates
Fixed in 1.7.5

References

CVE
CVE-2023-25448

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
d7b2243d-5295-464d-b618-03e45602a23f

Timeline

Publicly Published
2023-02-15 (about 3 years ago)
Added
2023-04-25 (about 3 years ago)
Last Updated
2023-04-25 (about 3 years ago)

Other

Published
Title
Published
2024-12-12
Title
phZoom <= 1.2.92 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-09-11
Title
RD Station < 5.2.1 - Multiple CSRF
Published
2026-01-23
Title
Login Page Editor <= 1.2 - Cross-Site Request Forgery to Settings Update
Published
2025-06-05
Title
BP Profile as Homepage <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-07-02
Title
Snippet Shortcodes < 4.1.5 - Cross-Site Request Forgery