WordPress Plugin Vulnerabilities

Jetpack CRM < 5.5.1 - Client+ XSS

Description

The plugin does not sanitise and escape a client's phone number field, which could allow client users to perform Cross-Site Scripting attacks.

Affects Plugins

Plugin icon
zero-bs-crm
Fixed in 5.5.1

References

URL
https://hackerone.com/reports/1806219

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
No
WPVDB ID
2da0864d-7acb-4bf3-85c1-7287e7819c5a

Timeline

Publicly Published
2023-09-12 (about 8 months ago)
Added
2023-09-12 (about 7 months ago)
Last Updated
2023-09-12 (about 7 months ago)

Other

Published
Title
Published
2014-10-08
Title
Google Calendar Events < 2.0.4 - XSS
Published
2023-02-28
Title
NEX-Forms < 8.3.3 - Contributor+ Stored XSS
Published
2022-03-30
Title
Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting
Published
2023-08-14
Title
User Submitted Posts < 20230811 - Unauthenticated Stored XSS
Published
2024-05-07
Title
Advanced Ads – Ad Manager & AdSense < 1.52.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget