WordPress Plugin Vulnerabilities

YARPP < 5.30.10 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
yet-another-related-posts-plugin
Fixed in 5.30.10

References

CVE
CVE-2024-0602
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/10aa1dd7-f909-4ebe-b29b-2f2743b3e08a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Akbar Kustirama
Verified
No
WPVDB ID
05d24e91-3942-4af2-9791-4c7e7a39be97

Timeline

Publicly Published
2024-02-20 (about 3 months ago)
Added
2024-02-21 (about 2 months ago)
Last Updated
2024-02-21 (about 2 months ago)

Other

Published
Title
Published
2016-11-08
Title
Caldera Forms < 1.4.2 - Cross Site Scripting
Published
2021-08-24
Title
Contact Form Entries < 1.2.1 - Reflected Cross-Site Scripting
Published
2023-05-31
Title
Quick/Bulk Order Form for WooCommerce < 3.6.0 - Shop Manager+ Stored XSS
Published
2023-02-15
Title
Podlove Subscribe button < 1.3.9 - Admin+ Stored XSS
Published
2023-10-18
Title
Get Custom Field Values < 4.1 - Admin+ Stored XSS