WordPress Plugin Vulnerabilities

Cost Calculator <= 1.8 - Contributor+ Stored XSS

Description

The plugin does not escape the nd_cc_meta_box_cc_price_icon parameter (related to a post meta), which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
nd-projects
No known fix

References

CVE
CVE-2023-1155

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
dce320af-7cb7-4b53-8c55-dfc964b0b3cb

Timeline

Publicly Published
2023-03-02 (about 3 years ago)
Added
2023-03-03 (about 3 years ago)
Last Updated
2023-03-03 (about 3 years ago)

Other

Published
Title
Published
2025-01-16
Title
CAMOO SMS <= 3.0.1 - Reflected Cross-Site Scripting
Published
2024-10-31
Title
Super Addons for Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-24
Title
Key4ce osTicket Bridge <= 1.4.0 - Reflected Cross-Site Scripting
Published
2025-06-27
Title
Football Pool < 2.12.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-02
Title
Uncomplicated SEO <= 1.2 - Reflected Cross-Site Scripting