WordPress Plugin Vulnerabilities

WP 2FA < 2.2.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
wp-2fa
Fixed in 2.2.1

References

CVE
CVE-2022-1527

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Utkarsh Agrawal
Submitter
Utkarsh Agrawal
Submitter website
https://smart7.in
Submitter twitter
agrawalsmart7
Verified
Yes
WPVDB ID
0260d5c0-52a9-44ce-b7be-aff642056d16

Timeline

Publicly Published
2022-05-06 (about 3 years ago)
Added
2022-05-06 (about 3 years ago)
Last Updated
2022-05-06 (about 3 years ago)

Other

Published
Title
Published
2022-06-27
Title
Simple Post Notes < 1.7.6 - Admin+ Stored Cross-Site Scripting
Published
2021-10-05
Title
Translate WordPress - Google Language Translator < 6.0.12 - Admin+ Stored Cross-Site Scripting
Published
2024-04-15
Title
GuCherry Blog <= 1.1.8 - Reflected Cross-Site Scripting
Published
2023-09-01
Title
WP Default Feature Image <= 1.0.1.1 - Admin+ Stored XSS
Published
2017-11-08
Title
Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)