LocalWeb All In One, 2e318f1f7c17f31318df511c6c796657071482ba

CVE, Research URL: 2e318f1f7c17f31318df511c6c796657071482ba
Home page URL: Security reports for LocalWeb All In One
Application: LocalWeb All In One
Published on: Oct 12, 2020
Research Description: LocalWeb All In One [lw-all-in-one] < 1.6.5 Web Instant Messenger <= 1.1.2 and LocalWeb In One <= 1.6.4 - Stored Cross-Site Scripting The Web Instant Messenger and LocalWeb In One plugins for WordPress are vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.4 (NOTE: Web Instant Messenger's latest version 1.1.2 is unpatched) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.6.5.
Status: vulnerable