Description
Multiple cross-site scripting (XSS) vulnerabilities in Plume CMS 1.2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the u_email parameter (aka Authors Email field) to manager/users.php, (2) the u_realname parameter (aka Authors Name field) to manager/users.php, or (3) the c_author parameter (aka Author field) in an ADD A COMMENT section.
Exploits (1)
References (7)
Core 7
Core References
Various Sources x_refsource_misc
http://www.webapp-security.com/2012/04/plumecms
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/80960
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74614
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/52890
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/18699
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/80961
Various Sources x_refsource_misc
http://www.webapp-security.com/wp-content/uploads/2012/04/PlumeCMS-1.2.4-Multiple-Permanent-XSS.txt
Scores
EPSS
0.0225
EPSS Percentile
84.7%
Details
CWE
CWE-79
Status
published
Products (11)
plume-cms/plume_cms
1.0.2
plume-cms/plume_cms
1.0.3
plume-cms/plume_cms
1.0.4
plume-cms/plume_cms
1.0.5
plume-cms/plume_cms
1.0.6
plume-cms/plume_cms
1.1.3
plume-cms/plume_cms
1.2
plume-cms/plume_cms
1.2.1
plume-cms/plume_cms
1.2.2
plume-cms/plume_cms
1.2.3
... and 1 more
Published
Apr 11, 2012
Tracked Since
Feb 18, 2026