Loops Logic
Monthly
Stored cross-site scripting in the Tangible Loops & Logic WordPress plugin (versions through 4.2.3) allows a low-privileged authenticated user to inject persistent malicious scripts into web pages that execute in the browsers of site visitors or administrators. The scope change (S:C in CVSS) confirms the payload escapes the injection context and executes in a victim's browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforward to exploit once an attacker holds contributor-level access.
Stored cross-site scripting in the Tangible Loops & Logic WordPress plugin (versions through 4.2.3) allows a low-privileged authenticated user to inject persistent malicious scripts into web pages that execute in the browsers of site visitors or administrators. The scope change (S:C in CVSS) confirms the payload escapes the injection context and executes in a victim's browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforward to exploit once an attacker holds contributor-level access.