WordPress Plugin Vulnerabilities

New User Approve < 2.4.1 - Reflected Cross-Site Scripting

Description

The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
new-user-approve
Fixed in 2.4.1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
17f99601-f5c9-4300-9b4a-6d75fa7ab94a

Timeline

Publicly Published
2022-05-30 (about 3 years ago)
Added
2022-06-13 (about 3 years ago)
Last Updated
2022-06-13 (about 3 years ago)

Other

Published
Title
Published
2023-12-18
Title
AMP for WP – Accelerated Mobile Pages < 1.0.92.1 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Published
2025-06-12
Title
IRM Newsroom < 1.2.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmflat' Shortcode
Published
2022-01-26
Title
WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
Published
2025-03-19
Title
Off Page SEO <= 3.0.3 - Reflected Cross-Site Scripting
Published
2025-03-31
Title
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder < 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting