Stored XSS Vulnerability in All in One SEO Pack Plugin by WordPress
CVE-2020-35946

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: All In One Seo Pack
Vendor: CVE Published:; 1 January 2021

Summary

A vulnerability was found in the All in One SEO Pack plugin for WordPress, prior to version 3.6.2. This issue allows Contributor-level users to submit unsanitized input in the SEO Description and Title fields, which can lead to stored XSS attacks. Malicious scripts could then be executed in the context of any user who views the impacted content, potentially compromising user data and site integrity.

References

https://www.wordfence.com/blog/2020/07/2-million-users-af...

x_refsource_MISC

https://wpscan.com/vulnerability/10320

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 1, 2021
Vulnerability Reserved
Jan 1, 2021