WordPress Plugin Vulnerabilities

Ceceppa Multilingua <= 1.5.17 - Authenticated Reflected Cross-Site Scripting

Description

The tab GET parameter in the plugin's settings is vulnerable to reflected XSS attacks.

Proof of Concept

Affects Plugins

Plugin icon
ceceppa-multilingua
No known fix

References

URL
https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
ZeroAptitude
Verified
No
WPVDB ID
b8ce996d-5a8c-4139-810e-b1cd7cb5ae1d

Timeline

Publicly Published
2020-08-31 (about 5 years ago)
Added
2020-08-31 (about 5 years ago)
Last Updated
2020-09-01 (about 5 years ago)

Other

Published
Title
Published
2025-08-12
Title
WP Voting <= 1.8 - Reflected Cross-Site Scripting
Published
2025-02-14
Title
Timeline Block < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2020-08-19
Title
Click to Top < 1.2.8 - Authenticated Stored Cross-Site Scripting
Published
2024-11-08
Title
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More < 1.8.3.1 - Reflected Cross-Site Scripting
Published
2021-10-15
Title
Indeed Job Importer <= 1.0.5 - Admin+ Stored Cross-Site Scripting