SportsPress < 2.7.2 - Authenticated Stored Cross-Site Scripting



Description
Any user with the role of administrator or League Manager is able to store XSS payloads in the custom delimiter setting of events pages. This will then execute on all events pages on the website.
Proof of Concept
Video PoC: https://youtu.be/J8QZ8S6CiS8

Affects Plugin

References

CVE 2020-13892

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Rishi
Submitter Rishi
Views 1414
Verified No
WPVDB ID 10257

Timeline

Publicly Published 2020-06-07 (about 1 month ago)
Added 2020-06-07 (about 1 month ago)
Last Updated 2020-06-08 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin