CVSS Summary
Score | 6.5 Medium |
---|---|
Vector | Network |
Complexity | Low |
Authentication | Single |
Confidentiality | Partial |
Integrity | Partial |
Availability | Partial |
Last revised:
This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.
On single sites, only Administrators have the unfiltered_html capability, and on multisite, only Super Admins have this capability. This means that e.g. malicious Admins on a multisite, or malicious Editors would be able to perform XSS attacks against other site users and visitors.
Current state: Fixed
Score | 6.5 Medium |
---|---|
Vector | Network |
Complexity | Low |
Authentication | Single |
Confidentiality | Partial |
Integrity | Partial |
Availability | Partial |
Upgrade to version 1.0.3 or later.
N.B. If all accounts are trusted, or all accounts have the unfiltered_html capability, then there is no issue.