PT-2021-22550 · WordPress · Mpl-Publisher
Published
2021-10-19
·
Updated
2025-04-25
·
CVE-2021-39343
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
MPL-Publisher WordPress plugin versions up to and including 1.30.2
Description:
The issue arises from insufficient input validation and sanitization via several parameters found in the ~/libs/PublisherController.php file, allowing attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled.
Recommendations:
For versions up to and including 1.30.2, update to a version that includes the necessary input validation and sanitization fixes to prevent Stored Cross-Site Scripting.
As a temporary workaround, consider restricting administrative access to trusted users only, and enable unfiltered html for administrators if possible, until a patch is available.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mpl-Publisher