WordPress Plugin “My WP Customize Admin/Frontend” vulnerable to cross-site scripting

Overview

WordPress Plugin “My WP Customize Admin/Frontend” contains a cross-site scripting vulnerability.

Description

WordPress Plugin “My WP Customize Admin/Frontend” provided by gqevu6bsiz contains a stored cross-site scripting vulnerability (CWE-79).

Impact

If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the page.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the following version that addresses this vulnerability.

• My WP Customize Admin/Frontend ver 1.24.1

Credit

The developer reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and the developer coordinated to publish this advisory.