WordPress Plugin Vulnerabilities

Subscribe to Comments < 2.0.8 - Reflected XSS

Description

The plugin does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

Affects Plugins

Plugin icon
subscribe-to-comments
Fixed in 2.0.8

References

CVE
CVE-2006-10001

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
VulDB GitHub Commit Analyzer
Verified
No
WPVDB ID
ac668b62-d781-4bdd-b7f5-7c73f50b7030

Timeline

Publicly Published
2006-09-17 (about 19 years ago)
Added
2023-10-12 (about 2 years ago)
Last Updated
2023-10-12 (about 2 years ago)

Other

Published
Title
Published
2024-07-23
Title
Social Auto Poster < 5.3.15 - Unauthenticated Stored Cross-Site Scripting
Published
2024-11-12
Title
Sailthru Triggermail < 1.1 - Subscriber+ Stored XSS
Published
2025-01-16
Title
Pit Login Welcome <= 1.1.5 - Reflected Cross-Site Scripting
Published
2023-12-26
Title
ZeroBounce Email Verification & Validation < 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-08-29
Title
Royal Elementor Addons < 1.3.985 - Authenticated (Contributor+) Stored Cross-Site Scripting