CIVI-SA-2023-05: Quick Add Widget

Published
2023-02-15 12:00
Written by

The CiviCRM-WordPress module includes a "Quick Add" widget that can be used to trick another user into executing arbitrary HTML and Javascript.

(This vulnerability is similar to "stored cross-site scripting". However, exploiting it requires the backend privilege access CiviCRM, so it can only be exploited by internal users.)

Security Risk
Moderately Critical
Vulnerability
Other
Affected Versions

CiviCRM version 5.58.0 (and earlier), 5.57.3 (and earlier). (This only affects WordPress-based deployments.)

Fixed Versions

CiviCRM version 5.58.1, 5.57.4 (ESR)

Publication Date
Solutions

Upgrade to the fixed version of CiviCRM

Credits

Andrea Intilangelo (Deloitte), Seamus Lee (CiviCRM/JMA Consulting), and Kevin Cristiano (Tadpole Collective)

References

security/wordpress#1