WordPress Plugin Vulnerabilities
PhoneTrack Meu Site Manager <= 0.1 - Authenticated Stored XSS
Description
The plugin does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.
Proof of Concept
Put the following payload in the "php_id" field in the plugin's settings (/wp-admin/options-general.php?page=phtmanager): "><script>alert(/XSS/)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
ABISHEIK M
Submitter
ABISHEIK M
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-19 (about 2 years ago)
Added
2021-07-19 (about 2 years ago)
Last Updated
2023-01-23 (about 1 years ago)