WP Floating Menu < 1.4.1 – Authenticated Reflected Cross-Site Scripting | CVE 2020-25378

Description

The id GET parameter used by WP Floating menu does not correctly sanitise user input before reflecting the parameter back to the user, resulting in a reflected XSS vulnerability.

Other sanitisation have been added to prevent other XSS issues as well as potential SQL injections.

Proof of Concept

/wp-admin/admin.php?page=wpfm-admin&action=wpfm-edit-menu&id=1"><script>alert(`XSS`)</script>

Affects Plugins

wp-floating-menu

Fixed in 1.4.1

References

CVE

CVE-2020-25378

URL

https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

URL

https://plugins.trac.wordpress.org/changeset?&new=2367599%40wp-floating-menu&old=2318612%40wp-floating-menu

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

9.6 (critical)

Miscellaneous

Original Researcher

ZeroAptitude

Verified

WPVDB ID

65b9a54e-9bc7-4aa3-91a6-010f18896dba

Timeline

Publicly Published

2020-08-31 (about 5 years ago)

Added

2020-08-31 (about 5 years ago)

Last Updated

2020-09-16 (about 5 years ago)

Other

Published

Title

Published

2024-04-22

Title

WooCommerce Shipping Label < 2.3.9 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

Published

2024-12-04

Title

WordPress连接微博 <= 2.5.6 - Stored XSS via CSRF

Published

2025-06-25

Title

e.nigma buttons <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-09

Title

Tournamatch <= 4.7.0 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Uploader 1.0.4 - notify.php blog Parameter XSS