This issue is now fixed in version 5.0.6 or later.
The WP Attachments plugin before 5.0.6 allows users with lower than default “Uploads” permissions to run XSS attacks via JS code in attachments via file upload.

The WP Attachments plugin before 5.0.5 does not validate the required permissions of the user when setting the “Unfiltered HTML” capability.
This issue is now fixed in version 5.0.6 or later.
The WP Attachments plugin before 5.0.5 does not properly sanitize the “Unfiltered HTML” capability for non-admin users. This issue is now fixed in version 5.0.6 or later.
WP Attachments before 5.0.5 does not prevent access to its settings via plugin actions, allowing low-privilege users to access the “Unfiltered HTML” capability and run XSS attacks.
WP Attachments before 5.0.5 does not properly sanitize the “Unfiltered HTML” capability when setting the “Send via email” option, allowing low-privilege users to send XSS emails.
WP Attachments before 5.0.5 does not properly sanitize the “Unfiltered HTML” capability when setting the “Send via SMTP” option, allowing low-privilege users

Vulnerable plugins

The WP Attachments plugin before 5.0.5 does not properly validate its settings when a user sets the “Send via email” option, allowing low-privilege users to send XSS emails.
The WP Attachments plugin before 5.0.5 does not properly sanitize the “Unfiltered HTML” capability when setting the “Send via SMTP” option, allowing low-privilege users
The WP Attachments plugin before 5.0.5 does not prevent access to its settings via plugin actions, allowing low-privilege users to access the “Unfiltered HTML” capability and run XSS attacks

Timeline

Published on: 11/14/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:02:00 UTC

References