WordPress Plugin Vulnerabilities

Embed Images in Comments <= 0.5 - Unauthenticated Stored XSS

Description

Unescaped src and href attribute replacements allows breaking out of the generated replacement tags.

Proof of Concept

Affects Plugins

Plugin icon
embed-comment-images
Fixed in 0.6

References

CVE
CVE-2017-18561
URL
https://plugins.trac.wordpress.org/changeset/1714313/embed-comment-images

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Gennady
Submitter website
https://codeseekah.com
Submitter twitter
soulseekah
Verified
No
WPVDB ID
79ce7097-c179-4ef3-b2c2-e8c75131b244

Timeline

Publicly Published
2017-08-17 (about 8 years ago)
Added
2017-08-25 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2014-08-01
Title
Coalition - Unspecified XSS
Published
2023-01-20
Title
WPMobile.App < 11.14 - Contributor+ Stored XSS
Published
2025-09-26
Title
WPFront User Role Editor < 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-12-12
Title
Quick Testimonials <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2023-05-30
Title
Unite Gallery Lite < 1.7.62 - Admin+ Stored XSS