The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Configurations
History
21 Nov 2024, 07:37
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.2.9/app/Common/Main/Updates.php?v=2829340#L624 - Release Notes | |
References | () https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.2.9/app/Common/Main/Updates.php?v=2829340#L625 - Release Notes | |
References | () https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.2.9/app/Common/Main/Updates.php?v=2829340#L665 - Release Notes | |
References | () https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.2.9/app/Common/Main/Updates.php?v=2829340#L666 - Release Notes | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2859011%40all-in-one-seo-pack%2Ftrunk&old=2847431%40all-in-one-seo-pack%2Ftrunk&sfp_email=&sfph_mail= - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/3db97180-9308-4891-9de9-acefe31d088f - Release Notes, Third Party Advisory | |
Summary |
|
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.4 |
07 Nov 2023, 04:00
Type | Values Removed | Values Added |
---|---|---|
CWE |
Information
Published : 2023-02-24 15:15
Updated : 2024-11-21 07:37
NVD link : CVE-2023-0585
Mitre link : CVE-2023-0585
CVE.ORG link : CVE-2023-0585
JSON object : View
Products Affected
aioseo
- all_in_one_seo
CWE
No CWE.