Random Banner 1.1.2.1 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2014-4847 | Plugin Vulnerabilities

Description

The plugin did not sanitise the buffercode_RBanner_url_bannerX (Link for that image field) parameters in its settings, leading to an authenticated stored Cross-Site Scripting (XSS) issue.

Proof of Concept

Open the plugin's setting (/wp-admin/options-general.php?page=random-banner%2Frandom-banner.php), add a payload such as "/><script>alert(/XSS/);</script> in one of the 'Link for that image' field and save

Affects Plugins

Fixed in 2.0

References

CVE

URL

https://packetstormsecurity.com/files/#127292/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

ACC3SS

Verified

Yes

WPVDB ID

4739180c-3087-4f0e-8007-a17de19e2c97

Timeline

Publicly Published

2014-06-29 (about 11 years ago)

Added

2014-08-01 (about 11 years ago)

Last Updated

2021-03-15 (about 5 years ago)

Other

Published

Title

Published

2024-10-31

Title

Elementary Addons <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-02-28

Title

3D FlipBook < 1.12.1 - Subscriber+ Stored Cross-Site Scripting

Published

2025-11-06

Title

JetElements For Elementor < 2.7.12.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-08

Title

Contact Form 7 - PayPal & Stripe Add-on < 2.3.2 - Reflected Cross-Site Scripting

Published

2026-03-02

Title

EventON <= 4.9.12 - Reflected Cross-Site Scripting