PublishPress Capabilities < 2.3.3 - Cross-Site Scripting
Detects stored XSS vulnerability in PublishPress Capabilities plugin versions below 2.3.3.
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
26 days 8 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The PublishPress Capabilities plugin is a popular tool for managing user roles and permissions in WordPress environments. Versions prior to 2.3.3 are affected by a stored Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into the site’s backend or frontend.
This vulnerability arises due to insufficient sanitization of user-supplied input, which can be stored and executed in contexts accessible to administrators or visitors. Exploiting this flaw can lead to session hijacking, unauthorized administrative actions, or the delivery of malicious payloads to users.
The scanner detects vulnerable plugin versions and checks for the presence of unpatched code paths that permit script injection. Mitigation involves updating the plugin to the latest secure version and auditing input validation throughout the site.