WordPress Plugin Vulnerabilities

Yellow Yard Searchbar < 2.8.12 - Reflected Cross-Site Scripting

Description

The plugin does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
yellow-yard
Fixed in 2.8.12

References

CVE
CVE-2022-2094

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Victor Pasman
Submitter
Victor Pasman
Verified
Yes
WPVDB ID
c9a106e1-29ae-47ad-907b-01086af3d3fb

Timeline

Publicly Published
2022-07-01 (about 3 years ago)
Added
2022-07-01 (about 3 years ago)
Last Updated
2023-04-12 (about 2 years ago)

Other

Published
Title
Published
2011-09-27
Title
Redline < 1.66 - XSS
Published
2023-10-30
Title
HTML filter and csv-file search < 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-04-15
Title
Easy Textillate <= 2.02 - Authenticated(Contributor+) Stored Cross-Site Scripting
Published
2024-10-31
Title
Slicko <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-22
Title
W4 Post List < 2.4.6 - Contributor+ Stored XSS