The Shiny Buttons WordPress plugin through 1.1.0 does not...
Moderate severity
Unreviewed
Published
Dec 14, 2021
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Dec 13, 2021
Published to the GitHub Advisory Database
Dec 14, 2021
Last updated
Feb 1, 2023
The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
References