MEDIUM🇵🇱 Wersja polska

CVE-2025-0169

CVSS 6.4v3.1pub. 2025-02-08upd. 2025-02-11

The DWT - Directory & Listing WordPress Theme is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Scriptsbundle Dwt Listing

    APP
    Scriptsbundle
    < 3.3.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-12857CRITICAL9.8PL ✓ten sam vendor

AdForest WordPress Theme — Authentication Bypass przez OTP (do v5.1.8)

CVE-2024-11350CRITICAL9.8PL ✓ten sam vendor

AdForest dla WordPress — przejęcie konta i privilege escalation bez uwierzytelnienia

CVE-2024-11349CRITICAL9.8PL ✓ten sam vendor

Podatność authentication bypass w motywie AdForest dla WordPress (≤ 5.1.6)

CVE-2024-12855MEDIUM4.3ten sam vendor

The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capabilit...

CVE-2019-15870MEDIUM5.4ten sam vendor

The CarSpot theme before 2.1.7 for WordPress has stored XSS via the Phone Number field.