WordPress Plugin Vulnerabilities

InstaLinker <= 1.1.1 - Reflected Cross-Site Scripting (XSS)

Description

Due to a lack of input sanitization in the includes/instalinker-admin-preview.php file, it is possible to utilise a reflected XSS vector to run a script in the target user's browser and potentially compromise the WordPress installation.

Proof of Concept

Affects Plugins

Plugin icon
instalinker
Fixed in 1.1.2

References

CVE
CVE-2016-11005
URL
https://rastating.github.io/instalinker-reflected-xss-information-disclosure

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Rob Carr
Submitter website
http://blog.rastating.com/
Submitter twitter
iamrastating
Verified
No
WPVDB ID
645e72b6-2fe5-4e20-88a1-69f5bec7a45c

Timeline

Publicly Published
2016-02-07 (about 10 years ago)
Added
2016-02-07 (about 10 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-12-22
Title
BWL Pro Voting Manager <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-06-12
Title
CF7 Google Sheets Connector (Free < 5.0.2, Pro < 2.3.7) - Reflected XSS
Published
2025-01-30
Title
eHive Objects Image Grid < 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
ZooEffect 1.08 - HTTP Referer Reflected XSS
Published
2024-10-14
Title
my flatonica <= 0.0.8 & my wooden under construction <= 2.0.7 - Reflected Cross-Site Scripting