WordPress Plugin Vulnerabilities

Helloprint < 1.4.7 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Make a logged in admin open the following URL: https://example.com/wp-admin/admin.php?page=language-translate.php&success=added"><script>alert(`XSS`)</script>

Affects Plugins

helloprint

Fixed in version 1.4.7

References

CVE

CVE-2022-3908

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

roguethread

Submitter

roguethread

Verified

Yes

WPVDB ID

c44802a0-8cbe-4386-9523-3b6cb44c6505

Timeline

Publicly Published

2022-11-15 (about 6 months ago)

Added

2022-11-15 (about 6 months ago)

Last Updated

2022-11-25 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin