The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled.
Metrics
Affected Vendors & Products
References
History
Fri, 27 Sep 2024 01:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Samiahmedsiddiqui
Samiahmedsiddiqui custom Permalinks |
|
CPEs | cpe:2.3:a:samiahmedsiddiqui:custom_permalinks:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Samiahmedsiddiqui
Samiahmedsiddiqui custom Permalinks |
Mon, 26 Aug 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Sami Ahmed Siddiqui
Sami Ahmed Siddiqui custom Permalinks |
|
CPEs | cpe:2.3:a:sami_ahmed_siddiqui:custom_permalinks:*:*:*:*:*:*:*:* | |
Vendors & Products |
Sami Ahmed Siddiqui
Sami Ahmed Siddiqui custom Permalinks |
|
Metrics |
ssvc
|
Sat, 24 Aug 2024 02:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled. | |
Title | Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting | |
Weaknesses | CWE-79 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-08-24T02:02:32.778Z
Updated: 2024-08-26T13:22:48.949Z
Reserved: 2023-02-20T18:35:34.223Z
Link: CVE-2023-0926
Vulnrichment
Updated: 2024-08-26T13:22:37.768Z
NVD
Status : Analyzed
Published: 2024-08-24T02:15:03.993
Modified: 2024-09-27T01:01:34.407
Link: CVE-2023-0926
Redhat
No data.