WordPress Plugin Vulnerabilities

WP REST API (WP API) <= 1.2.2 - Cross-Site Scripting (XSS)

Description

Requests from other origins could potentially run code on the API domain, allowing cross-origin access to authentication cookies or similar.

Affects Plugins

Plugin icon
json-rest-api
Fixed in 1.2.3

References

URL
http://wptavern.com/wp-rest-api-1-2-3-patches-xss-vulnerability
URL
https://github.com/WP-API/WP-API/releases/tag/2.0-beta4

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
04953e04-f726-4819-9729-5d22370d9fdd

Timeline

Publicly Published
2015-08-14 (about 10 years ago)
Added
2015-08-14 (about 10 years ago)
Last Updated
2019-10-22 (about 6 years ago)

Other

Published
Title
Published
2023-01-16
Title
Restaurant Menu < 2.3.6 - Contributor+ Stored XSS via Shortcode
Published
2022-04-05
Title
Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting
Published
2024-05-24
Title
LuckyWP Table of Contents < 2.1.6 - Admin+ Stored XSS
Published
2022-06-14
Title
Clearfy Cache < 2.0.5 - Reflected Cross-Site Scripting
Published
2025-01-14
Title
HireHive Job Plugin <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting