WordPress Plugin Vulnerabilities

Woo Custom Emails <= 2.2 - Reflected XSS

Description

The plugin does not sanitise and escape the wcemails_edit parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affects Plugins

Plugin icon
woo-custom-emails
No known fix

References

CVE
CVE-2023-4315

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
02fa3688-ee18-458f-9618-1312da0646ec

Timeline

Publicly Published
2023-08-02 (about 9 months ago)
Added
2023-09-07 (about 8 months ago)
Last Updated
2023-09-07 (about 8 months ago)

Other

Published
Title
Published
2023-01-19
Title
Interactive Polish Map < 1.2.1 - Admin+ Stored XSS
Published
2023-12-19
Title
Seos Contact Form <= 1.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-08-10
Title
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.3 - Reflected XSS
Published
2023-05-31
Title
Quick/Bulk Order Form for WooCommerce < 3.6.0 - Shop Manager+ Stored XSS
Published
2018-01-26
Title
Splashing Images <= 2.1 - Cross-Site Scripting (XSS)