logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

All In One WP Security & Firewall < 4.4.6 - Authenticated Cross-Site Scripting (XSS)

Description

The plugin did not escape the banned user agents in its settings before output, which may allow administrators to enter malicious UA with XSS payloads under certain conditions.

Note: We were not able to reproduce the issue.

Affects Plugins

all-in-one-wp-security-and-firewall

Fixed in version 4.4.6

References

CVE

CVE-2020-29171

URL

https://github.com/Arsenal21/all-in-one-wordpress-security/commit/4130906bc049b195467b4fc6980d6d304fbe28d5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

WonTae Jang

Verified

No

WPVDB ID

b2e65549-b0d2-47a9-8d38-0b798f1122cc

Timeline

Publicly Published

2021-02-10 (about 2 months ago)

Added

2021-02-10 (about 2 months ago)

Last Updated

2021-02-11 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin