[53] CVE-2022-3136
During a security research I found an authenticated Stored XSS vulnerability.
The name of the plugin is: Social Rocket < 1.3.3
Description
The plugin does not sanitise and escape some of its settings, which could
allow high privilege users such as admin to perform Stored Cross-Site Scripting
attacks even when the unfiltered_html capability is
disallowed (for example in multisite setup)
POC
The PoC will be displayed on October 03, 2022,
to give users the time to update.
Additional information
WPSCAN link: https://wpscan.com/vulnerability/913d7e78-23f6-4b0d-aca3-17051a2dc649
Plugin has more than 3,000+ active installations.