Lucene search
Dmitrii IgnatyevWPEX-ID:DFA1421B-41B0-4B25-95EF-0843103E1F5EHistoryApr 22, 2024 - 12:00 a.m.
PostX < 4.0.2 - Contributor+ Stored XSS
2024-04-2200:00:00
Dmitrii Ignatyev
18
postx
stored xss
contributor+
ultimate post heading
exploit
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
1. Create a new Post and add "Ultimate post Heading" block. Change "headingURL" field to `123" onmouseover=alert(1)//`
2. Browse the post and hover over the heading.References
Related
nvd
nvd
CVE-2024-3239
2024-05-14 15:40:31
cvelist
cvelist
CVE-2024-3239 PostX < 4.0.2 - Contributor+ Stored XSS
2024-05-13 06:00:01
vulnrichment
vulnrichment
CVE-2024-3239 PostX < 4.0.2 - Contributor+ Stored XSS
2024-05-13 06:00:01
cve
cve
CVE-2024-3239
2024-05-14 15:40:31
wpvulndb
wpvulndb
PostX < 4.0.2 - Contributor+ Stored XSS
2024-04-22 00:00:00
wordfence
wordfence
8.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Related for WPEX-ID:DFA1421B-41B0-4B25-95EF-0843103E1F5E