WordPress Plugin Vulnerabilities

Spreadsheet Integration < 3.6.0 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise or escape some parameters before outputting them back in the admin dashboard, leading to reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
wpgsi
Fixed in 3.6.0
Plugin icon
wpgsi-professional
Fixed in 3.6.0

References

URL
https://plugins.trac.wordpress.org/changeset/2561776/wpgsi

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
2ea4705c-75fa-4d11-a4bc-4eea730e7323

Timeline

Publicly Published
2021-12-24 (about 4 years ago)
Added
2021-12-24 (about 4 years ago)
Last Updated
2021-12-24 (about 4 years ago)

Other

Published
Title
Published
2025-09-01
Title
Etsy Shop < 3.0.7 - Reflected XSS via $_SERVER['REQUEST_URI']
Published
2025-01-16
Title
Payment Button for PayPal < 1.2.3.36 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-01-23
Title
VK Google Job Posting Manager < 1.2.24 - Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field
Published
2024-07-08
Title
Blog, Posts and Category Filter for Elementor < 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post and Category Filter Widget
Published
2024-06-07
Title
Simple AL Slider <= 1.2.10 - Reflected XSS