WordPress Plugin Vulnerabilities

Duplicator Pro < 4.5.11.1 - Unauthenticated Reflected XSS

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

Affects Plugins

Plugin icon
duplicator-pro
Fixed in 4.5.11.1

References

CVE
CVE-2023-33309
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/duplicator-pro/duplicator-pro-4511-reflected-cross-site-scripting
URL
https://patchstack.com/database/vulnerability/duplicator-pro/wordpress-duplicator-pro-plugin-4-5-11-reflected-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
843667b6-a79d-4868-8dfa-77fa7d9432fd

Timeline

Publicly Published
2023-05-22 (about 1 years ago)
Added
2023-05-30 (about 1 years ago)
Last Updated
2023-05-30 (about 1 years ago)

Other

Published
Title
Published
2022-12-22
Title
Carousel, Slider, Gallery by WP Carousel < 2.5.3 - Contributor+ Stored XSS
Published
2023-02-03
Title
Podlove Podcast Publisher < 3.8.3 - Admin+ Stored XSS
Published
2022-01-18
Title
ProfileGrid < 4.7.5 - Subscriber+ Stored Cross-Site Scripting
Published
2014-08-01
Title
GroupDocs Comparison <= 1.0.2 - Multiple Parameter XSS
Published
2024-03-14
Title
HUSKY – Products Filter for WooCommerce Professional < 1.3.5.2 - Contributor+ Stored Cross-Site Scripting via Shortcode