WPML 2.9.3-3.2.6 – Cross-Site Scripting (XSS) in Accept-Language Header | CVE 2015-9416

Affects Plugins

sitepress-multilingual-cms

Fixed in 3.2.7

References

CVE

CVE-2015-9416

URL

https://secupress.me/blog/xss-wpml-header/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

769a1ffd-c2d8-42d4-9a89-ea70ca2cde19

Timeline

Publicly Published

2015-09-02 (about 10 years ago)

Added

2015-09-02 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2023-02-06

Title

Arigato Autoresponder and Newsletter < 2.7.1.1 - Admin+ Stored XSS

Published

2025-03-31

Title

OSM – OpenStreetMap < 6.1.14 - Contributor+ Stored XSS

Published

2023-10-18

Title

YouTube Playlist Player < 4.6.8 - Contributor+ Stored XSS

Published

2023-05-04

Title

Manager for Icomoon < 2.2 - Contributor+ Stored XSS

Published

2023-11-08

Title

Add to Calendar Button < 1.5.1 - Contributor+ Stored XSS