Author Box Wp Lens
Monthly
Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. No public exploit identified at time of analysis and no CISA KEV listing; however, multi-author WordPress deployments with untrusted contributors face realistic risk of privilege escalation via session hijacking.
Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. No public exploit identified at time of analysis and no CISA KEV listing; however, multi-author WordPress deployments with untrusted contributors face realistic risk of privilege escalation via session hijacking.