Reflected Cross-Site Scripting Vulnerability in WP Quick FrontEnd Editor Plugin by WordPress
CVE-2021-4363

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Quick Frontend Editor – WordPress Plugin
Vendor: CVE Published:; 7 June 2023

Summary

The WP Quick FrontEnd Editor plugin for WordPress is susceptible to a Reflected Cross-Site Scripting vulnerability found in versions up to and including 5.5. This issue arises from inadequate input sanitization and output escaping on the 'save_content_front' function, particularly due to the direct usage of print_r on user-supplied $_REQUEST values. As a result, unauthenticated attackers could exploit this flaw to inject arbitrary web scripts into pages. These malicious scripts could be executed in the context of the user's session if they are tricked into clicking on a deceptive link, posing significant risks to user data and website integrity.

Affected Version(s)

WP Quick FrontEnd Editor – WordPress Plugin * <= 5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-quick-front-end-editor/#...

https://blog.nintechnet.com/multiple-vulnerabilities-in-w...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet