PT-2026-22341 · WordPress · Dato Cms Web Previews
Ayoub Benlamchich
·
Published
2026-02-27
·
Updated
2026-02-27
·
CVE-2026-3327
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Dato CMS Web Previews plugin versions prior to 1.0.31
Description
A malicious authenticated user can bypass the configured frontend URL restriction, allowing arbitrary external resources or origins to be loaded. This is due to an authenticated iframe injection issue.
Recommendations
Update to version 1.0.31 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dato Cms Web Previews