WordPress Plugin Vulnerabilities

All In One WP Security & Firewall < 4.4.4 - CSRF & XSS

Description

Antony Garand of Sucuri discovered that multiple WordPress plugins were vulnerable to Cross-Site Scripting (XSS) within the admin panel, which could be exploited by using s Cross-Site Request Forgery (CSRF) attack.

The vulnerability affecting the All In One WP Security & Firewall plugin required the victim to be running an older web browser to be exploited.

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 4.4.4

References

URL
https://blog.sucuri.net/2020/09/reflected-xss-in-wordpress-plugin-admin-pages.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Antony Garand (Sucuri)
Verified
No
WPVDB ID
534cdd29-4d24-4105-80df-4764f7d7c55a

Timeline

Publicly Published
2020-09-09 (about 5 years ago)
Added
2020-09-09 (about 5 years ago)
Last Updated
2020-09-10 (about 5 years ago)

Other

Published
Title
Published
2023-04-28
Title
Photo Gallery Slideshow & Masonry Tiled Gallery < 1.0.14 - Reflected Cross-Site Scripting
Published
2025-11-05
Title
Strong Testimonials < 3.2.17 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-04-10
Title
MSRP (RRP) Pricing for WooCommerce < 2.0.0 - Reflected Cross-Site Scripting
Published
2024-11-12
Title
Royal Elementor Addons and Template < 1.7.1002 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Google Maps Widget
Published
2014-08-01
Title
Abundance - Unspecified XSS