WordPress Triberr Plugin <= 4.1.1 is vulnerable to Cross Site Scripting (XSS)
Description
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Triberr plugin <= 4.1.1 versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Triberr/Triberrv5Range: n/a
Patches
Vulnerability mechanics
Root cause
"The plugin fails to sanitize or escape user-supplied input stored in admin settings, allowing stored JavaScript injection."
Attack vector
An attacker with administrator-level privileges (admin+) can inject malicious JavaScript into a plugin setting or stored value that is later rendered unsanitized in the WordPress admin dashboard. When another administrator visits the affected page, the injected script executes in their browser session, enabling session hijacking, privilege escalation, or further compromise. The vulnerability is classified as stored XSS because the payload persists in the database and triggers on subsequent page loads.
Affected code
The Triberr WordPress plugin (triberr-wordpress-plugin) versions up to and including 4.1.1 contain a stored cross-site scripting vulnerability. The plugin's changelog entry for version 4.1.2 states "FIXED XSS vulnerability", confirming the flaw existed in the plugin's admin-facing functionality.
What the fix does
Version 4.1.2 of the Triberr plugin fixes the XSS vulnerability, though the specific code change is not shown in the available bundle. The advisory indicates the fix was released on 2024-03-11 as part of a compatibility update for WordPress 6.4.3. Administrators should update to version 4.1.2 or later to remediate the issue.
Preconditions
- authAttacker must have an administrator-level account on the WordPress site
- configThe vulnerable Triberr plugin version must be 4.1.1 or earlier
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.