Lucene search
Lana CodesWPVDB-ID:A0A44F8A-877C-40DF-A3BA-B9B806FFB772HistoryFeb 13, 2023 - 12:00 a.m.
Download Attachments <= 1.2.24 - Contributor+ Stored XSS
2023-02-1300:00:00
Lana Codes
wpscan.com
10
plugin
vulnerability
contributor
stored xss
attacks
EPSS
0.001
Percentile
21.0%
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PoC
[download-attachments container_class=β" onmouseover=βalert(1)ββ] Note: An Attachment in an Attachments metabox needs to be present
Related
cvelist
cvelist
CVE-2023-0076 Download Attachments < 1.3 - Contributor+ Stored XSS
2023-03-06 13:33:57
prion
prion
Cross site scripting
2023-03-06 14:15:00
cve
cve
CVE-2023-0076
2023-03-06 14:15:10
wpexploit
wpexploit
Download Attachments <= 1.2.24 - Contributor+ Stored XSS
2023-02-13 00:00:00
nvd
nvd
CVE-2023-0076
2023-03-06 14:15:10