From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Plugin Name: WordPress File Upload < 4.24.8 2. Vulnerability Type: Unauthenticated Stored XSS 3. Description: The plugin does not properly sanitize and escape certain parameters, allowing unauthorized users to perform stored cross-site scripting (XSS) attacks. 4. Proof of Concept: - Add an upload form to an existing page/post. - Add a custom field (e.g., simple text) to submit additional data along with the uploaded file. - Submit the form as an unauthorized user, including the following payload in the text field: - As an administrator, go to the "Upload Files" section and click "View Details" to trigger the XSS. 5. Affected Plugin: wp-file-upload 6. Fix Status: Fixed in version 4.24.8. 7. References: - CVE: None - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 8. Additional Information: - Original Researcher: Majedddine Ben Hadj Brahim - Submitter: Majedddine Ben Hadj Brahim - Verified: Yes - WPVDB ID: 5b21a9be-b5fe-47ef-91c7-018dd42f763f - Publication Date: 2024-07-16 - Added Date: 2024-07-16 - Last Updated: 2024-07-16 - Related Vulnerabilities: - Flower Delivery by Florist One <= 3.7 - Admin+ Stored Cross-Site Scripting - Simple Banner < 2.12.0 - Admin+ Stored Cross Site Scripting - Supreme Modules Lite - Divi Theme, Extra Theme and Divi Builder < 2.5.52 - Authenticated (Contributor+) Stored Cross-Site Scripting - Picture Gallery < 1.5.12 - Authenticated (Author+) Stored Cross-Site Scripting - Query Wrangler < 1.5.52 - Reflected XSS This information provides a detailed description and resolution for the unauthenticated stored XSS vulnerability in the WordPress File Upload plugin.