WordPress Plugin Vulnerabilities

Wp Ultimate Review < 2.1.0 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-ultimate-review
Fixed in 2.1.0

References

CVE
CVE-2023-28751

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
qilin_99
Verified
No
WPVDB ID
2f62810d-9f1a-4e46-b5f0-b34db590a901

Timeline

Publicly Published
2023-03-29 (about 1 years ago)
Added
2023-06-23 (about 10 months ago)
Last Updated
2023-06-23 (about 10 months ago)

Other

Published
Title
Published
2024-04-22
Title
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin < 2.6.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2023-04-19
Title
WP Links Page < 4.9.4 - Contributor+ Stored XSS
Published
2023-10-12
Title
ApplyOnline – Application Form Builder and Manager < 2.5.3 - Reflected XSS
Published
2021-10-25
Title
Falang multilanguage for WordPress < 1.3.18 - Reflected Cross-Site Scripting
Published
2019-07-03
Title
Simple Mail Address Encoder < 1.7 - Reflected Authenticated XSS