WordPress Plugin Vulnerabilities

WebP Express < 0.14.8 - Authenticated Stored XSS

Description

Edit - WPScanTeam: The reported issue has been fixed in 0.14.5. Other sanitisation checks have been implemented in newest versions (such as 0.14.6 and 0.14.8) while the plugin was closed, so the fixed in is set to 0.14.8

Proof of Concept

Affects Plugins

Plugin icon
webp-express
Fixed in 0.14.8

References

CVE
CVE-2019-15837
URL
https://plugins.trac.wordpress.org/changeset?reponame=&new=2109698%40webp-express&old=2108592%40webp-express

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
M0ns7er
Submitter
Akash Labade
Submitter website
https://www.asfaleia.tech
Submitter twitter
akash_labade
Verified
Yes
WPVDB ID
19df4f3e-bbe4-4260-9218-f8fd161220c7

Timeline

Publicly Published
2019-06-26 (about 6 years ago)
Added
2019-06-26 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2012-05-18
Title
Login With Ajax - Cross-Site Scripting (XSS)
Published
2025-04-03
Title
Team Builder <= 1.3 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
WP Socializer 2.4.2 - admin/wpsr-services-selector.php val Parameter XSS
Published
2021-08-30
Title
User Activity Log < 1.4.7 - Reflected Cross-Site Scripting
Published
2022-06-21
Title
Best Contact Management Software < 3.8 - Admin+ Stored Cross-Site Scripting