WordPress Plugin Vulnerabilities

Vertical Marquee <= 7.2 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
vertical-marquee-plugin
No known fix

References

CVE
CVE-2023-40677
URL
https://patchstack.com/database/vulnerability/vertical-marquee-plugin/wordpress-vertical-marquee-plugin-plugin-7-1-cross-site-scripting-xss

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
0582a2a5-627d-461b-9c3b-b2598f8a1eaa

Timeline

Publicly Published
2023-08-22 (about 8 months ago)
Added
2023-09-27 (about 7 months ago)
Last Updated
2023-10-31 (about 6 months ago)

Other

Published
Title
Published
2023-03-22
Title
W4 Post List < 2.4.6 - Reflected XSS
Published
2020-09-09
Title
Cookiebot < 3.6.1 - CSRF & XSS
Published
2023-01-23
Title
Parsi Date < 4.0.2 - Reflected Cross-Site Scripting
Published
2017-01-16
Title
Event Notifier < 1.2.1 - XSS
Published
2023-11-14
Title
Shareaholic < 9.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode