CVE-2021-39338 – MyBB Cross-Poster <= 1.0 Authenticated Stored Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2021-39338

The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. El plugin MyBB Cross-Poster de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado debido a una comprobación insuficiente y saneamiento de entradas por medio de diversos parámetros encontrados en el archivo ~/classes/MyBBXPSettings.php que permitían a atacantes con acceso de usuario administrativo inyectar scripts web arbitrarios, en versiones hasta la 1.0 incluyéndola. Esto afecta a las instalaciones multi-sitio en las que unfiltered_html está deshabilitado para los administradores, y a los sitios en los que unfiltered_html está deshabilitado The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators and sites where unfiltered_html is disabled. • https://github.com/BigTiger2020/word-press/blob/main/MyBB%20Cross-Poster.md https://plugins.trac.wordpress.org/browser/mybb-cross-poster/trunk/classes/MyBBXPSettings.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39338 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •