General Options WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the General Options plugin for WordPress, affecting versions through 1.1.0. The issue arises from improper output escaping in the Contact Number field, where the sanitize_text_field() function is used. This function removes HTML tags but fails to encode double-quote characters as HTML entities. As a result, an attacker can inject a double-quote that escapes the context of a double-quoted HTML attribute, potentially executing arbitrary scripts when an administrator accesses the General Options settings page.

Impact

Exploitation of this vulnerability allows authenticated attackers with Administrator-level access to inject and execute arbitrary scripts on the admin settings page, affecting any administrator who visits the General Options settings.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.