WordPress Plugin Vulnerabilities

All In One WP Security & Firewall < 4.4.6 - Authenticated Cross-Site Scripting (XSS)

Description

The plugin did not escape the banned user agents in its settings before output, which may allow administrators to enter malicious UA with XSS payloads under certain conditions.

Note: We were not able to reproduce the issue.

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 4.4.6

References

CVE
CVE-2020-29171
URL
https://github.com/Arsenal21/all-in-one-wordpress-security/commit/4130906bc049b195467b4fc6980d6d304fbe28d5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
WonTae Jang
Verified
No
WPVDB ID
b2e65549-b0d2-47a9-8d38-0b798f1122cc

Timeline

Publicly Published
2021-02-10 (about 3 years ago)
Added
2021-02-10 (about 3 years ago)
Last Updated
2021-02-11 (about 3 years ago)

Other

Published
Title
Published
2021-08-24
Title
TextME SMS < 1.8.9 - Authenticated Stored XSS
Published
2023-05-24
Title
WooCommerce Product Vendors < 2.1.77 - Unauthenticated Reflected XSS
Published
2020-11-30
Title
Wibar < 1.2.1 - Authenticated Stored Cross-Site Scripting
Published
2023-01-23
Title
Image and Video Lightbox, Image PopUp < 2.1.6 - Admin+ Stored XSS
Published
2014-08-01
Title
GroupDocs Viewer 1.4.1 - grpdocs-dialog.php Multiple Parameter XSS