WordPress Plugin Vulnerabilities

YITH WooCommerce Multi Vendor < 3.8.1 - Reflected Cross-Site Scripting

Description

The plugin does not escape some parameters before outputting them back in admin pages, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
yith-woocommerce-product-vendors
Fixed in 3.8.1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
db8dc8db-ec79-4f39-a663-7ec22b24b98d

Timeline

Publicly Published
2021-10-11 (about 4 years ago)
Added
2021-10-11 (about 4 years ago)
Last Updated
2021-10-11 (about 4 years ago)

Other

Published
Title
Published
2021-09-08
Title
3D Cover Carousel <= 1.0 - Reflected Cross-Site Scripting
Published
2024-04-16
Title
Void Elementor WHMCS Elements For Elementor Page Builder < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-08-14
Title
Article Directory Redux <= 1.0.2 - Admin+ Stored XSS
Published
2023-05-10
Title
Tiny carousel horizontal slider plus <= 3.2 - Admin+ Stored XSS
Published
2024-04-02
Title
Jeg Elementor Kit < 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box