漏洞标题
Philantro – Donations and Donor Management <= 5.3 版本中存在经认证的(Contributor+)donate短代码存储型跨站脚本漏洞
漏洞描述信息
WordPress插件Philantro – 捐赠与捐赠者管理在所有版本中(包括5.3版本)存在Stored Cross-Site Scripting漏洞。该漏洞是由于插件的短代码(如'donate')在处理用户提供的属性时,输入清理和输出转义不足导致的。这使得具有贡献者级别及以上访问权限的认证攻击者能够在页面中注入任意Web脚本,当用户访问被注入的页面时,这些脚本将被执行。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Philantro – Donations and Donor Management <= 5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via donate Shortcode
漏洞描述信息
The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)