CVE-2024-3903 – Add Custom CSS and JS <= 1.20 - Stored XSS via CSRF

https://notcve.org/view.php?id=CVE-2024-3903

The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack El complemento Add Custom CSS y JS de WordPress hasta la versión 1.20 no tiene verificación CSRF en algunos lugares y le falta sanitización y escape, lo que podría permitir a los atacantes iniciar sesión como autor y agregar payloads XSS almacenado a través de un ataque CSRF. The Add Custom CSS and JS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.20. This is due to missing or incorrect nonce validation on the custom_js_css page. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/0a0e7bd4-948d-47c9-9219-380bda9f3034 • CWE-352: Cross-Site Request Forgery (CSRF) •