WordPress Plugin Vulnerabilities

Feedify Web Push Notifications < 2.1.9 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the eedify_msg parameter found in the ~/includes/base.php which allows attackers to inject arbitrary web scripts.

Affects Plugins

Plugin icon
push-notification-by-feedify
Fixed in 2.1.9

References

CVE
CVE-2021-38352
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38352

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Verified
Yes
WPVDB ID
39aa8896-ab72-43dc-9324-678de653aca6

Timeline

Publicly Published
2021-09-09 (about 4 years ago)
Added
2021-09-10 (about 4 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2015-10-26
Title
Visitors Online < 0.4 - SQL Injection
Published
2024-12-11
Title
Surbma | SalesAutopilot Shortcode <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-04-06
Title
The7 < 11.6.1 - Reflected XSS
Published
2023-01-11
Title
WPFunnels < 2.6.9 - Contributor+ Stored XSS
Published
2025-07-23
Title
Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App <= 0.8.8.8 - Reflected Cross-Site Scripting