WordPress Plugin Vulnerabilities

WP Abstracts < 2.6.4 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-abstracts-manuscripts-manager
Fixed in 2.6.4

References

CVE
CVE-2023-28692
URL
https://patchstack.com/database/vulnerability/wp-abstracts-manuscripts-manager/wordpress-wp-abstracts-plugin-2-6-2-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
qilin_99
Verified
No
WPVDB ID
fd407c96-e172-4e19-afa1-9ab50473912e

Timeline

Publicly Published
2023-08-30 (about 9 months ago)
Added
2023-09-18 (about 8 months ago)
Last Updated
2024-03-18 (about 2 months ago)

Other

Published
Title
Published
2014-12-05
Title
Broken Link Checker <= 1.10.2 - Stored XSS
Published
2014-08-01
Title
WordPress-to-Lead for Salesforce CRM 1.0.1 - salesforce.php salesforce_form_shortcode Function Error Message H&ling XSS
Published
2023-02-02
Title
WP htpasswd <= 1.7 - Admin+ Stored XSS
Published
2023-08-16
Title
Church Admin < 3.7.6 - Reflected XSS
Published
2023-01-23
Title
Twenty20 Image Before-After <= 1.6.1 - Contributor+ Stored XSS