Duplicate Post <= 3.2.3 - Authenticated Stored Cross-Site Scripting (XSS)



Description
The Duplicate Post plugin was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). However, the POST request had a CSRF nonce that was verified, and no user's without the unfiltered_html capability, such as Author or Subscriber, were able to access the affected Duplicate Post settings page. Therefore, this vulnerability would be very difficult to exploit in the real world. The risk of this issue is very low.

Affects Plugin

fixed in version 3.2.4

References

PacketStorm 154622
URL https://wordpress.org/support/topic/cross-site-scripting-xss-vulnerability-2/
URL https://plugins.trac.wordpress.org/changeset/2208827/duplicate-post

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Unk9vvN
Views 3799
Verified No
WPVDB ID 9978

Timeline

Publicly Published 2019-09-26 (9 months ago)
Added 2019-12-19 (7 months ago)
Last Updated 2019-12-20 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin