CVE-2019-16931

Name of the Vulnerable Software and Affected Versions Visualizer plugin version 3.3.0

Description A stored XSS issue allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because the "wp-json/visualizer/v1/update-chart" endpoint registers with no access control, and the classes/Visualizer/Render/Page/Data.php file lacks output sanitization for user input.

Recommendations For Visualizer plugin version 3.3.0, update the plugin to a version that includes output sanitization for the "wp-json/visualizer/v1/update-chart" endpoint and implements proper access control to prevent unauthorized access. As a temporary workaround, consider restricting access to the admin dashboard to minimize the risk of exploitation.