The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
History

Wed, 11 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Freebiesdownload
Freebiesdownload pvn Auth Popup
Weaknesses CWE-79
CPEs cpe:2.3:a:freebiesdownload:pvn_auth_popup:*:*:*:*:*:wordpress:*:*
Vendors & Products Freebiesdownload
Freebiesdownload pvn Auth Popup

Tue, 20 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 15 May 2025 20:15:00 +0000

Type Values Removed Values Added
Description The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Title PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2025-05-15T20:07:09.539Z

Updated: 2025-05-20T19:23:31.210Z

Reserved: 2024-07-12T14:00:01.137Z

Link: CVE-2024-6713

cve-icon Vulnrichment

Updated: 2025-05-19T20:26:11.623Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-15T20:15:56.110

Modified: 2025-06-11T16:56:08.530

Link: CVE-2024-6713

cve-icon Redhat

No data.