WordPress Plugin Vulnerabilities

LetterPress <= 1.2.1 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Affects Plugins

Plugin icon
letterpress
No known fix

References

CVE
CVE-2023-27415

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Pavak Tiwari
Verified
Yes
WPVDB ID
3b3f23c1-e038-4986-ab0d-118b144fecf0

Timeline

Publicly Published
2023-05-11 (about 1 years ago)
Added
2023-08-09 (about 9 months ago)
Last Updated
2023-10-06 (about 7 months ago)

Other

Published
Title
Published
2022-11-29
Title
Simple:Press < 6.8.1 - Subscriber+ Stored XSS via Profile Signatures
Published
2021-08-09
Title
SpeakOut! Email Petitions < 2.13.3 - Reflected Cross-Site Scripting
Published
2023-01-30
Title
GS Portfolio for Envato < 1.4.0 - Contributor+ Stored XSS
Published
2015-06-25
Title
WordPress Landing Pages <= 1.8.7 - Unspecified Cross-Site Scripting (XSS)
Published
2024-04-29
Title
MailerLite – Signup forms (official) 1.5.0 - 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting