WordPress Plugin Vulnerabilities

WP Spell Check < 9.3 - Reflected Cross-Site Scripting

Description

The plugin does not escape the page and wpsc-scan-tab parameters before outputting them back in attributes, leading Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
wp-spell-check
Fixed in 9.3

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
7e1c7002-c078-463e-8b64-edfcaf6a8273

Timeline

Publicly Published
2021-10-25 (about 4 years ago)
Added
2021-10-25 (about 4 years ago)
Last Updated
2021-10-25 (about 4 years ago)

Other

Published
Title
Published
2025-01-07
Title
Shipping via Planzer for WooCommerce < 1.0.26 - Reflected Cross-Site Scripting via processed-ids
Published
2025-04-01
Title
Nova Blocks by Pixelgrade <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-11-13
Title
Ultimate Dashboard < 3.7.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Published
2024-05-28
Title
HUSKY – Products Filter Professional for WooCommerce < 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-12-19
Title
aklamator-infeed <= 2.0.0 - Admin+ Stored XSS