WordPress Plugin Vulnerabilities

Plugin Info Card <= 2.3.6 - Authenticated XSS

Description

Authenticated XSS via wppic-list POST parameter in the wppic_widget_render() AJAX method (which is also lacking CSRF and authorisation checks, even in the fixed version)

Affects Plugins

Plugin icon
wp-plugin-info-card
Fixed in 2.3.7

References

URL
https://plugins.trac.wordpress.org/changeset?reponame=&new=1105436%40wp-plugin-info-card&old=1084082%40wp-plugin-info-card

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Julio Potier
Verified
No
WPVDB ID
02c6fadf-6246-40e9-937f-e22ac889ebe6

Timeline

Publicly Published
2015-03-04 (about 11 years ago)
Added
2019-06-23 (about 6 years ago)
Last Updated
2019-06-23 (about 6 years ago)

Other

Published
Title
Published
2023-05-31
Title
Quick/Bulk Order Form for WooCommerce < 3.6.0 - Shop Manager+ Stored XSS
Published
2025-02-28
Title
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site < 2.0.7 - Authenticated (Administrator+) DOM-Based Stored Cross-Site Scripting
Published
2025-11-18
Title
GiveWP < 4.13.1 - Unauthenticated Stored XSS via 'name'
Published
2025-03-03
Title
Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS
Published
2026-01-23
Title
Same Category Posts < 1.1.20 - Authenticated (Author+) Stored Cross-Site Scripting via Widget Title Placeholder