WordPress Plugin Vulnerabilities

Flexible Shipping < 4.11.9 - Reflected Cross-Site Scripting

Description

The plugin does not escape shipping method URLs before outputting them back in an attribute, leading to Reflected Cross-Site Scripting

Affects Plugins

Plugin icon
flexible-shipping
Fixed in 4.11.9

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
c24a891e-00f1-4ff0-8ec4-96c2c0981710

Timeline

Publicly Published
2022-06-14 (about 3 years ago)
Added
2022-06-14 (about 3 years ago)
Last Updated
2022-06-14 (about 3 years ago)

Other

Published
Title
Published
2024-07-08
Title
Squelch Tabs and Accordions Shortcodes < 0.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via tab Shortcode
Published
2025-09-22
Title
Carousel Ultimate <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-03
Title
WooCommerce < 9.4.3 - Reflected XSS
Published
2025-04-11
Title
Nepali Date Converter < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-29
Title
Parabola <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting