WordPress Plugin Vulnerabilities

LocalWeb All In One plugin < 1.6.5 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

An Unauthenticated Stored XSS vulnerability was discovered in the LocalWeb All In One plugin v1.6.3 for WordPress.

There is an older version of this plugin called Web Instant Messenger, latest version is v1.1.1.

The specificity of this plugin is that it interacts with the remote host www.localweb.it, so the payload will be executed on it.

Proof of Concept

Affects Plugins

Plugin icon
lw-all-in-one
Fixed in 1.6.5
Plugin icon
web-instant-messenger
No known fix

References

URL
https://ex-mi.ru/exploit/[2020-10-12]-[WordPress]-localweb-all-in-one-v1.6.2.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Ex.Mi
Submitter
Ex.Mi
Submitter website
https://ex-mi.ru
Verified
Yes
WPVDB ID
c8069655-fc7b-4b97-b871-45705260fb1b

Timeline

Publicly Published
2020-10-12 (about 5 years ago)
Added
2021-03-02 (about 5 years ago)
Last Updated
2021-03-03 (about 5 years ago)

Other

Published
Title
Published
2021-12-14
Title
Real WYSIWYG <= 0.0.2 - Reflected Cross-Site Scripting
Published
2015-08-26
Title
SoundCloud Is Gold <= 2.3.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2021-06-13
Title
Async JavaScript < 2.21.06.29 - Authenticated (admin+) Stored XSS
Published
2026-03-23
Title
WP TripAdvisor Review Slider < 14.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-10-21
Title
Enfold < 7.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting