WordPress Plugin Vulnerabilities
WP Born Babies <= 1.0 - Contributor+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
Proof of Concept
As a contributor, create a new Baby item and put the following payload in any of the settings (such as Birth Date, Time of Birth etc): "><script>alert('XSS')</script>
The XSS will be triggered when editing the post, as well as when viewing/previewing it Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Wejdan Alomari
Submitter
Wejdan Alomari
Verified
Yes
Timeline
Publicly Published
2022-05-16 (about 10 months ago)
Added
2022-05-16 (about 10 months ago)
Last Updated
2023-02-06 (about 1 months ago)