WordPress Plugin Vulnerabilities

ARMember < 4.0.3 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
armember-membership
Fixed in 4.0.3

References

CVE
CVE-2023-33323

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
0e7a77cf-8d4b-494e-bcd8-53ca39e04270

Timeline

Publicly Published
2023-06-13 (about 11 months ago)
Added
2023-06-22 (about 10 months ago)
Last Updated
2023-06-22 (about 10 months ago)

Other

Published
Title
Published
2022-07-18
Title
Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting
Published
2024-03-15
Title
Gutenberg Blocks by Kadence Blocks < 3.2.26 - Contributor+ Stored XSS
Published
2020-07-08
Title
Monalisa < 2.1.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2021-06-02
Title
GetPaid < 2.3.4 - Authenticated Stored XSS
Published
2024-03-01
Title
Ultimate Bootstrap Elements for Elementor < 1.3.7 - Contributor+ Stored XSS