Critical Vulnerability Information Description Vulnerability Type: Stored Cross-Site Scripting (XSS) Affected Plugin: PVN Auth Popup <= 1.0.0 Issue: The plugin does not sanitize or escape certain settings, allowing high-privilege users (such as administrators) to perform stored XSS attacks, even when the capability is disabled in a multisite setup. Proof of Concept (PoC) 1. Navigate to 2. In the "Login text" input field under the first section, enter the payload: 3. Save and observe the XSS effect. - Note: Other fields may also be vulnerable. Affected Plugin Plugin Name: pvn-auth-popup Fix Status: No known fix available References CVE ID: CVE-2024-6713 Classification Type: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE ID: CWE-79 CVSS Score: 3.5 (Low) Additional Information Original Researcher: Vuln Seeker Cybersecurity Team Submitter Website: http://vulnseeker.org Verification Status: Verified WPVDB ID: 24685b19-0a44-411a-9e1b-d4d0627d7cb6 Timeline Public Disclosure Date: 2024-06-05 Added Date: 2024-07-23 Last Updated Date: 2024-07-23