Lucene search
MikaWPVDB-ID:000E65F1-89CD-4DD5-A09D-5FEBD9FDFBDBHistoryNov 01, 2021 - 12:00 a.m.
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
2021-11-0100:00:00
Mika
wpscan.com
5
shop page wp
cross-site scripting
stored
admin
product fields
privilege users
xss
vulnerability
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PoC
Add/edit a product and put the following payload in the Product Affiliate URL, Custom Button Text fields: "> The Product Description field is also affected, with the following payload:
The XSS will be triggered when viewing the Product in a page, or when editing the Product in the admin dashboard
Related
wpexploit
wpexploit
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
2021-11-01 00:00:00
cve
cve
CVE-2021-24811
2021-11-29 09:15:07
cvelist
cvelist
CVE-2021-24811 Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
2021-11-29 08:25:37
prion
prion
Cross site scripting
2021-11-29 09:15:00
nvd
nvd
CVE-2021-24811
2021-11-29 09:15:07