[48] CVE-2021-36845
During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress YITH Maintenance Mode plugin, the version of the affected plugin: < 1.3.8
Description
The plugin does not sanitise and escape some of its settings, which could
allow high privilege users such as admin to perform Cross-Site Scripting
attacks even when unfiltered_html is disallowed
Details
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
discovered by Vlad Visse (Patchstack) in WordPress YITH Maintenance
Mode plugin (versions <= 1.3.8). Additionally, there are 46
additional parameters fixed that were missed by updating from
vulnerable version 1.3.7 to 1.3.8 reported
by Asif Nawaz Minhas (Patchstack Red Team).
Additional information
NIST CVSS SCORE: 4.8
Plugin has more than 7,000+ active installations.