WordPress Plugin Vulnerabilities

Better WP Security <= 3.5.3 - inc/secure.php logevent Function URL H&ling Stored XSS

Description

The iThemes Security (formerly Better WP Security) WordPress plugin was affected by an inc/secure.php logevent Function URL H&ling Stored XSS security vulnerability.

Affects Plugins

Plugin icon
better-wp-security
Fixed in 3.5.4

References

Exploitdb
27290
URL
https://packetstormsecurity.com/files/#122615/
URL
https://github.com/wpscanteam/wpscan/issues/251
URL
https://www.securityfocus.com/archive/1/527634/30/0/threaded

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Verified
No
WPVDB ID
aca181eb-a018-4010-90fe-1746c7a1e976

Timeline

Publicly Published
2014-08-01 (about 11 years ago)
Added
2014-08-01 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2024-04-12
Title
Libsyn Publisher Hub <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-10
Title
SMTP for Amazon SES – YaySMTP < 1.9 - Unauthenticated Stored Cross-Site Scripting via Email Logs
Published
2024-05-24
Title
Amen <= 3.3.1 - Admin+ Stored XSS
Published
2026-03-20
Title
Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter
Published
2025-05-16
Title
Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting