WordPress Plugin Vulnerabilities

Recent Posts Widget Extended <= 0.9.9.3 - Authenticated XSS (multisite)

Description

XSS in the Recent Posts Widget Extended plugin allows single site admins to change network admin's password with simple CSRF described above POC field.

This vulnerability is currently unpatched.

Proof of Concept

Affects Plugins

Plugin icon
recent-posts-widget-extended
Fixed in 0.9.9.4

References

URL
https://plugins.trac.wordpress.org/changeset?old_path=%2Frecent-posts-widget-extended%2Ftags%2F0.9.9.3&old=1350555&new_path=%2Frecent-posts-widget-extended%2Ftags%2F0.9.9.4&new=1350555&sfp_email=&sfph_mail=

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
Mikko Virenius
Submitter website
http://www.valu.fi
Submitter twitter
@mikkovirenius
Verified
No
WPVDB ID
2e8c7578-007a-472c-9c80-54e23d42e346

Timeline

Publicly Published
2015-10-19 (about 10 years ago)
Added
2016-02-14 (about 10 years ago)
Last Updated
2019-10-31 (about 6 years ago)

Other

Published
Title
Published
2026-03-10
Title
Avada Core < 5.15.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-12-06
Title
Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting
Published
2023-11-10
Title
Sponsors <= 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2022-05-31
Title
Automatic Domain Changer < 2.0.3 - Reflected Cross-Site Scripting
Published
2023-01-11
Title
WordPrezi < 0.9 - Contributor+ Strored XSS