WordPress Plugin Vulnerabilities

Bank Mellat < 2.0.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
bank-mellat
Fixed in 2.0.1

References

CVE
CVE-2022-0643

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Ran Crane
Submitter
Ran Crane
Verified
Yes
WPVDB ID
5be0de93-9625-419a-8c37-521c1bd9c24c

Timeline

Publicly Published
2022-03-01 (about 3 years ago)
Added
2022-03-01 (about 3 years ago)
Last Updated
2024-09-03 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
Contact Form 7 – CCAvenue Add-on <= 1.0 - Reflected Cross-Site Scripting
Published
2025-02-18
Title
Wonder Video Embed < 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-03-21
Title
Cookies Pro <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-07-17
Title
Zenon Lite <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode
Published
2015-11-11
Title
Profile Builder < 2.2.5 - XSS