WordPress Plugin Vulnerabilities

Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.

Proof of Concept

$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>"

The payload will be executed on the "visitors" page within the WordPress admin panel.

Affects Plugins

No known fix

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
Mesut Cetin
Submitter
Mesut Cetin
Verified
Yes

Timeline

Publicly Published
2021-05-26 (about 2 years ago)
Added
2021-05-27 (about 2 years ago)
Last Updated
2021-07-11 (about 2 years ago)

Other