WordPress Plugin Vulnerabilities

Task Manager Pro < 3.6.34 - Multiple Cross-Site Scripting

Description

Multiple authenticated XSS vulnerabilities found logged as a low privileged user.

The plugin does not sanitise and escape some parameters, which could lead to reflected and stored Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
task-manager-pro
Fixed in 3.6.34

References

URL
https://packetstormsecurity.com/files/#143419/
URL
https://codecanyon.net/item/task-manager-pro-all-in-one-project-based-task-management-plugin-for-wordrpress/19864872

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
8bitsec
Submitter website
http://8bitsec.io/
Submitter twitter
_8bitsec
Verified
No
WPVDB ID
a015d0d5-3243-4e2b-81dc-85d7662fb24c

Timeline

Publicly Published
2017-07-19 (about 8 years ago)
Added
2017-07-25 (about 8 years ago)
Last Updated
2023-09-20 (about 2 years ago)

Other

Published
Title
Published
2024-12-05
Title
Xpro Addons For Elementor < 1.4.6.6 - Contributor+ Stored XSS
Published
2025-12-11
Title
Fancy Product Designer < 6.5.0 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Published
2024-03-18
Title
PDF Embedder < 4.7.1 - Contributor+ Stored XSS
Published
2025-09-02
Title
Vayu Blocks < 1.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes
Published
2023-11-30
Title
Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting