WordPress Plugin Vulnerabilities

All In One Favicon <= 4.6 - Multiple Stored Authenticated XSS

Description

Authenticated Stored Cross-Site Scripting (XSS) in 8 parameters:

backendApple-Text
backendGIF-Text
backendICO-Text
backendPNG-Text
frontendApple-Text
frontendGIF-Text
frontendICO-Text
frontendPNG-Text

Proof of Concept

Affects Plugins

Plugin icon
all-in-one-favicon
Fixed in 4.7

References

CVE
CVE-2018-13832
URL
https://plugins.trac.wordpress.org/changeset/1913664/all-in-one-favicon
URL
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Submitter
Javier Olmedo
Submitter website
https://hackpuntes.com
Submitter twitter
JJavierOlmedo
Verified
No
WPVDB ID
ec55b173-e727-446d-862f-42f11ba5acca

Timeline

Publicly Published
2018-07-10 (about 7 years ago)
Added
2018-07-16 (about 7 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-01-16
Title
Shoutcast and Icecast HTML5 Web Radio Player by YesStreaming.com <= 3.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2025-03-03
Title
Simple Banner < 3.0.4 - Admin+ Stored XSS
Published
2014-02-12
Title
Nextend Facebook Connect < 1.5.1 - Cross-Site Scripting (XSS)
Published
2024-05-30
Title
Preferred Languages < 2.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-09-25
Title
ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS