WordPress Plugin Vulnerabilities

WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
whmcs-bridge
Fixed in 6.4b

References

CVE
CVE-2021-25112
URL
https://plugins.trac.wordpress.org/changeset/2659751

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
4aae2dd9-8d51-4633-91bc-ddb53ca3471c

Timeline

Publicly Published
2022-01-27 (about 3 years ago)
Added
2022-01-27 (about 3 years ago)
Last Updated
2022-04-16 (about 3 years ago)

Other

Published
Title
Published
2012-05-15
Title
Leaflet <= 0.0.1 - Cross Site Scripting
Published
2025-12-11
Title
FX Currency Converter < 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2024-03-25
Title
Hot Random Image < 1.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-11
Title
J&T Express Malaysia < 2.0.15 - Reflected Cross-Site Scripting via [placeholder]
Published
2025-05-01
Title
BuddyBoss Platform < 2.8.51 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bp_nouveau_ajax_media_save' function