Can you explain this vulnerability to me?

The Sports Club Management plugin for WordPress has a vulnerability known as Stored Cross-Site Scripting (XSS) in its 'before' and 'after' attributes of the scm_member_data shortcode. This vulnerability exists in all versions up to and including 1.12.9 because the plugin does not properly sanitize input or escape output.

As a result, authenticated users with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute whenever any user accesses the affected page.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows attackers with Contributor-level access or above to inject arbitrary scripts into web pages. These scripts can execute in the context of other users visiting the page, potentially leading to theft of user data, session hijacking, or other malicious actions.

Because the vulnerability is a Stored Cross-Site Scripting issue, the malicious code persists on the site and affects all users who view the infected pages, increasing the risk and impact.

The CVSS score of 6.4 (Medium severity) reflects the potential for confidentiality and integrity loss without impacting availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access to user data or session hijacking.

Such unauthorized access or data exposure could potentially violate data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

However, the provided information does not explicitly state the impact on compliance with these standards.

Useful 0 Not Useful 0