[52] CVE-2022-2629
During a security research I found an authenticated Stored XSS vulnerability.
The name of the plugin is: Top Bar < 3.0.4
Description
The plugin does not sanitise and escape some of its settings before
outputting them in frontend pages, which could allow high privilege users
such as admin to perform Stored Cross-Site Scripting attacks
even when the unfiltered_html capability is disallowed
(for example in multisite setup)
POC
The PoC will be displayed on October 03, 2022,
to give users the time to update.
Additional information
WPSCAN link: https://wpscan.com/vulnerability/25a0d41f-3b6f-4d18-b4d5-767ac60ee8a8
Plugin has more than 20,000+ active installations.