Lucene search
Dmitrii IgnatyevWPVDB-ID:DFA1421B-41B0-4B25-95EF-0843103E1F5EHistoryApr 22, 2024 - 12:00 a.m.
PostX < 4.0.2 - Contributor+ Stored XSS
2024-04-2200:00:00
Dmitrii Ignatyev
wpscan.com
2
postx plugin
stored xss
contributor role
cross-site scripting
vulnerability
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PoC
1. Create a new Post and add “Ultimate post Heading” block. Change “headingURL” field to 123" onmouseover=alert(1)// 2. Browse the post and hover over the heading.
| CPE | Name | Operator | Version |
|---|---|---|---|
| eq | 4.0.2 |
References
Related
nvd
nvd
CVE-2024-3239
2024-05-14 15:40:31
cvelist
cvelist
CVE-2024-3239 PostX < 4.0.2 - Contributor+ Stored XSS
2024-05-13 06:00:01
cve
cve
CVE-2024-3239
2024-05-14 15:40:31
vulnrichment
vulnrichment
CVE-2024-3239 PostX < 4.0.2 - Contributor+ Stored XSS
2024-05-13 06:00:01
wpexploit
wpexploit
PostX < 4.0.2 - Contributor+ Stored XSS
2024-04-22 00:00:00
wordfence
wordfence
8.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
Related for WPVDB-ID:DFA1421B-41B0-4B25-95EF-0843103E1F5E