WordPress Plugin Vulnerabilities

Locatoraid Store Locator < 3.9.19 - Subscriber+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the Subscriber role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
locatoraid
Fixed in 3.9.19

References

CVE
CVE-2023-32576

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
7180645d-ea86-4c3f-b26a-f1002c5ccbd4

Timeline

Publicly Published
2023-05-11 (about 1 years ago)
Added
2023-08-25 (about 8 months ago)
Last Updated
2023-08-25 (about 8 months ago)

Other

Published
Title
Published
2021-06-01
Title
All 404 Redirect to Homepage < 2.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2019-05-15
Title
WP Live Chat Support < 8.0.27 - Unauthenticated Stored XSS
Published
2024-02-28
Title
Simple Ajax Chat < 20240223 - Unauthenticated Stored XSS
Published
2022-10-17
Title
WP < 6.0.3 - Stored XSS via RSS Widget
Published
2021-05-09
Title
Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)