Bug Bounty – Chevon Phillip

SendPress Newsletter < 1.20.7.13 - Authenticated Stored Cross-Site Scripting (XSS)

Posted on July 13, 2020July 19, 2020 by Chevon

Multiple Stored Cross-Site Scripting within SendPress Newsletter Settings due to improper input sanitation.

The vulnerable fields are:

From Name
From Email
Where to send Test Email

https://wpvulndb.com/vulnerabilities/10317

Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting

Posted on July 13, 2020July 19, 2020 by Chevon

An Authenticated Stored Cross-Site Scripting (XSS) was discovered within the Company Info “Motto” field. When creating a new newsletter using an empty template with the header module, the XSS would execute.

https://wpvulndb.com/vulnerabilities/10304

WP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting

Posted on July 13, 2020July 19, 2020 by Chevon

There is a Stored Cross-Site Scripting (XSS) in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload.

https://wpvulndb.com/vulnerabilities/10303