WordPress Plugin Vulnerabilities

WP-Appbox < 4.4.0 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Affects Plugins

Plugin icon
wp-appbox
Fixed in 4.4.0

References

CVE
CVE-2021-36910

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
mirphak
Verified
No
WPVDB ID
e1f95949-c744-44df-8b7f-7b60ea4c2d52

Timeline

Publicly Published
2022-04-05 (about 4 years ago)
Added
2022-04-12 (about 4 years ago)
Last Updated
2022-07-27 (about 3 years ago)

Other

Published
Title
Published
2024-08-02
Title
Zephyr Project Manager < 3.3.101 - Authenticated (Subscriber+) Stored Cross-Site Scripting via filename Parameter
Published
2019-04-23
Title
KingComposer - Authenticated Stored XSS
Published
2025-10-31
Title
Flying Images: Optimize and Lazy Load Images for Faster Page Speed < 2.4.15 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-06-27
Title
Smart Agenda < 5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-10
Title
SuperSaaS – online appointment scheduling < 2.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via after Parameter