The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/3e8bd875-2435-4a15-8ee8-8a00882b499c | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2022-06-20T10:26:16
Updated: 2022-06-20T10:26:16
Reserved: 2022-05-26T00:00:00
Link: CVE-2022-1896
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-06-20T11:15:10.390
Modified: 2022-06-28T17:02:01.363
Link: CVE-2022-1896
JSON object: View
Redhat Information
No data.
CWE