WordPress Plugin Vulnerabilities

Arabic Font - CSRF & Stored XSS

Description

Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.

Proof of Concept

Affects Plugins

Plugin icon
arabic-font
No known fix

References

URL
https://rastating.github.io/arabic-font-1-2-csrf-stored-xss

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
rastating
Submitter website
https://www.rastating.com/
Submitter twitter
@iamrastating
Verified
No
WPVDB ID
9701aab5-df17-48bb-aa4e-b47fb09321fc

Timeline

Publicly Published
2017-07-20 (about 8 years ago)
Added
2017-07-21 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2024-04-19
Title
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin < 3.63 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
drp-coupon <= 2.1 - XSS in ZeroClipboard
Published
2014-08-01
Title
Dewplayer - dewplayer-vinyl-en.swf xml Parameter XML File H&ling XSS
Published
2024-10-21
Title
AffiliateX < 1.2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-20
Title
Rizzi Guestbook <= 4.0.1 - Reflected Cross-Site Scripting