WordPress Plugin Vulnerabilities
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.
Proof of Concept
Visit the following path on the site as an admin user: /wp-admin/admin.php?page=drag-n-drop-upload&tab=pro-features%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-03-21 (about 1 years ago)
Added
2023-03-21 (about 1 years ago)
Last Updated
2023-03-21 (about 1 years ago)