WordPress Plugin Vulnerabilities

WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting

Description

The plugin does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

Proof of Concept

Affects Plugins

Plugin icon
wpcargo
Fixed in 6.9.5

References

CVE
CVE-2022-1435

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Raul
Submitter
Raul
Verified
Yes
WPVDB ID
ef5aa8a7-23a7-4ce0-bb09-d9c986386114

Timeline

Publicly Published
2022-04-25 (about 3 years ago)
Added
2022-04-25 (about 3 years ago)
Last Updated
2023-02-06 (about 2 years ago)

Other

Published
Title
Published
2023-09-05
Title
Simple Membership < 4.3.6 - Reflected XSS
Published
2024-07-08
Title
Inline Related Posts < 3.8.0 - Admin+ Stored XSS
Published
2023-12-22
Title
Sensei LMS < 4.18.0 - Contributor+ Stored XSS
Published
2024-09-16
Title
AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod
Published
2024-02-29
Title
Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget