CVE-2019-16931

MEDIUM NUCLEI

Themeisle Visualizer < 3.3.0 - XSS

Title source: rule

Description

A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers wp-json/visualizer/v1/update-chart with no access control, and classes/Visualizer/Render/Page/Data.php lacks output sanitization.

Nuclei Templates (1)

WordPress Visualizer <3.3.1 - Cross-Site Scripting

MEDIUMVERIFIEDby ritikchaddha

References (3)

[Exploit, Third Party Advisory] https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf

[Product, Release Notes] https://wordpress.org/plugins/visualizer/#developers

[Exploit, Third Party Advisory] https://wpvulndb.com/vulnerabilities/9893

Scores

CVSS v3 6.1

EPSS 0.0199

EPSS Percentile 83.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

themeisle/visualizer < 3.3.0

Published Oct 03, 2019

Tracked Since Feb 18, 2026