WordPress Plugin Vulnerabilities

qubotchat < 1.1.6 - Unauthenticated Stored XSS

Description

The plugin doesn't filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard.

Proof of Concept

Affects Plugins

Plugin icon
qubotchat
Fixed in 1.1.6

References

CVE
CVE-2023-2399

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Rafael B.
Submitter
Rafael B.
Verified
Yes
WPVDB ID
deca3cd3-f7cf-469f-9f7e-3612f7ae514d

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-05-24 (about 2 years ago)
Last Updated
2023-05-25 (about 2 years ago)

Other

Published
Title
Published
2024-07-01
Title
PayPlus Payment Gateway < 6.6.9 - Reflected Cross-Site Scripting
Published
2023-12-27
Title
Stock Ticker < 3.23.5 - Authenticated (Contributor+) Stored Cross-Site Scritping
Published
2024-10-08
Title
Embed PDF Viewer < 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via height and width Parameters
Published
2023-04-19
Title
Social Share Boost < 4.5 - Contributor+ Stored XSS
Published
2021-07-05
Title
Magic Post Thumbnail < 3.3.7 - Reflected Cross-Site Scripting (XSS)