WordPress Travel Management plugin <= 2.0 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Software
Travel Management
Vulnerable versions
<= 2.0
PSID
ae2a8b39a3d3
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
Required privilege
Requires contributor or higher role user authentication.
Publicly disclosed
2022-05-26
Patchstack vPatch available since
09.12.2021
Details
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities were discovered by Ngo Van Thien (Patchstack Alliance) in the WordPress Travel Management plugin (versions <= 2.0).
Solution
Deactivate and delete. This plugin has been closed as of May 6, 2022 and is not available for download. This closure is temporary, pending a full review.
References
CVE-2022-27859
Plugin page