WordPress Plugin Vulnerabilities
Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
Add the following payload to a new quote: <img src=x onerror=alert(1)>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-07-06 (about 1 years ago)
Added
2022-07-06 (about 1 years ago)
Last Updated
2023-04-10 (about 1 years ago)