2021-11-17 10:15:52
WPScan
PUBLISHED
The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another posts custom fields.