The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: WPScan
Published: 2023-10-31T13:54:42.835Z
Updated: 2024-08-02T07:38:00.735Z
Reserved: 2023-09-07T16:27:20.483Z
Link: CVE-2023-4823
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-10-31T14:15:12.103
Modified: 2024-11-21T08:36:02.900
Link: CVE-2023-4823
Redhat
No data.