Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting

Vulnerability

The Advanced Access Manager WordPress plugin before version 6.8.0 fails to escape some of its settings when outputting them, leading to a stored Cross-Site Scripting (XSS) vulnerability [1]. This affects high-privilege users (Admin+) who can modify plugin settings. The vulnerability is exploitable even when the unfiltered_html capability is disallowed, because the plugin's output does not sanitize the stored values.

Exploitation

An attacker with administrator-level access to the WordPress site can inject malicious JavaScript into a plugin setting field. When the setting is subsequently displayed (e.g., in the admin dashboard or settings page), the injected script executes in the browser of any user viewing that page. No additional user interaction is required beyond the initial save of the malicious setting.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the WordPress admin area. This can lead to session hijacking, defacement, theft of sensitive data, or further privilege escalation within the site. The stored XSS persists until the malicious setting is removed or the plugin is updated.

Mitigation

The vulnerability is fixed in version 6.8.0 of the Advanced Access Manager plugin, released on 2021-10-19 [1]. Users should update to this version or later immediately. No workarounds are documented. The plugin is actively maintained, and this CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.