CVE-2020-29303

Name of the Vulnerable Software and Affected Versions SabaiApp Directories Pro plugin version 1.3.45

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a POST to "/wp-admin/admin.php?page=drts/directories&q=%2F" with the drts form build id parameter containing the XSS payload and the t parameter set to an invalid or non-existent CSRF token.

Recommendations For SabaiApp Directories Pro plugin version 1.3.45, consider disabling the /wp-admin/admin.php?page=drts/directories endpoint until a patch is available. Restrict access to the drts form build id parameter to minimize the risk of exploitation. Avoid using the t parameter with invalid or non-existent CSRF tokens in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.