WordPress Plugin Vulnerabilities

ApplyOnline < 2.5.6 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
apply-online
Fixed in 2.5.6

References

CVE
CVE-2023-24391
URL
https://patchstack.com/database/vulnerability/apply-online/wordpress-applyonline-application-form-builder-and-manager-plugin-2-5-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
fca39085-01b2-47a2-9441-06d66853e039

Timeline

Publicly Published
2023-06-26 (about 2 years ago)
Added
2023-08-11 (about 2 years ago)
Last Updated
2024-03-20 (about 1 year ago)

Other

Published
Title
Published
2022-04-25
Title
ScrollReveal.js Effects <= 1.2 - Admin+ Stored Cross-Site Scripting
Published
2024-02-12
Title
Doofinder for WooCommerce < 2.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Published
2024-09-23
Title
Themify – WooCommerce Product Filter < 1.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-01-07
Title
Qr Code and Barcode Scanner Reader <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-02-28
Title
My Sticky Bar < 2.6.8 - Admin+ Stored XSS