WordPress Plugin Vulnerabilities

Motor Racing League <= 1.9.9 - Admin+ XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
motor-racing-league
No known fix

References

CVE
CVE-2023-27614

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Pavak Tiwari
Verified
No
WPVDB ID
8cc3025d-d307-4578-8d94-46bd7009e054

Timeline

Publicly Published
2023-04-14 (about 1 years ago)
Added
2023-04-24 (about 1 years ago)
Last Updated
2023-04-24 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Custom Tables 3.4.4 - iframe.php key Parameter XSS
Published
2023-02-13
Title
Announce from the Dashboard < 1.5.2 - Admin+ Stored XSS
Published
2015-04-20
Title
Google Analytics Top Content Widget < 1.5.7 - Reflected XSS
Published
2024-04-05
Title
MailMunch – Grow your Email List < 3.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-05-22
Title
Duplicator Pro < 4.5.11.1 - Unauthenticated Reflected XSS