Widget Settings Importer/Exporter <= 1.5.3 - Authenticated Stored XSS



Description
"This flaw allowed an authenticated attacker with minimal, subscriber-level permissions to import and activate custom widgets containing arbitrary JavaScript into a site with the plugin installed."

Affects Plugin

no known fix
- plugin closed

References

URL https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ram Gall (wordfence)
Views 1809
Verified No
WPVDB ID 10180

Timeline

Publicly Published 2020-04-15 (about 1 month ago)
Added 2020-04-15 (about 1 month ago)
Last Updated 2020-04-16 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin