WordPress Plugin Vulnerabilities

Старт < 3.8 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role of Admin to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
iksweb
Fixed in 3.8

References

CVE
CVE-2023-25972

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Karthikeyan Balasubramanian
Verified
No
WPVDB ID
fea25d44-c1d5-4f3b-9b2d-6f2a4f80a89e

Timeline

Publicly Published
2023-02-21 (about 3 years ago)
Added
2023-06-15 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2024-10-03
Title
WP Booking Calendar < 10.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2023-01-04
Title
RSS Aggregator by Feedzy < 4.1.1 - Contributor+ Stored XSS
Published
2025-05-23
Title
Page Builder: Pagelayer – Drag and Drop website builder < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link
Published
2023-02-13
Title
Resume Builder <= 3.1.1 - Subscriber+ Stored XSS
Published
2023-11-15
Title
Accordion < 2.7 - Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings