WordPress Plugin Vulnerabilities

Multiple Plugins from WPPlugin - Reflected Cross-Site Scripting via page Parameter

Description

The plugins do not escape a page parameter before outputting it back in an attribute in various admin pages, leading to Reflected Cross-Site Scripting issues.

The issues were reported to the vendor on August 10th, 2021

Proof of Concept

Affects Plugins

Plugin icon
subscriptions-memberships-for-paypal
Fixed in 1.1.3
Plugin icon
easy-paypal-donation
Fixed in 1.3.1
Plugin icon
easy-paypal-events-tickets
Fixed in 1.1.2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
34ea00d1-3f45-4550-9d22-5a966e9c01b9

Timeline

Publicly Published
2021-10-11 (about 4 years ago)
Added
2021-10-11 (about 4 years ago)
Last Updated
2021-10-26 (about 4 years ago)

Other

Published
Title
Published
2023-02-15
Title
Tapfiliate < 3.0.13 - Admin+ Stored XSS
Published
2023-01-21
Title
Advanced Social Pixel <= 2.1.1 - Admin+ Stored XSS
Published
2015-04-21
Title
WordPress 3.9-4.1.1 - Same-Origin Method Execution
Published
2025-03-04
Title
Favorites < 2.3.5 - Admin+ Stored XSS
Published
2025-05-19
Title
WPAdverts < 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting