WordPress Plugin Vulnerabilities

Connections <= 8.5.8 - Reflected Cross-Site Scripting (XSS)

Description

Line 320 contains unfiltered user input for the search field
being sent directly via echo back to the users browser via the ’s’ variable.

In file includes/admin/pages/manage.php
Line 320:
<input type="search" id="entry-search-input" name="s" value="<?php if (
isset( $_GET['s'] ) && ! empty( $_GET['s'] )) echo $_GET['s'] ; ?>" />

Affects Plugins

Plugin icon
connections
Fixed in 8.5.9

References

CVE
CVE-2016-0770
URL
http://www.vapidlabs.com/advisory.php?v=161

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
firefart
Submitter website
https://firefart.at/
Submitter twitter
_FireFart_
Verified
No
WPVDB ID
c9ac8687-ae77-4960-83af-c424edbdcada

Timeline

Publicly Published
2016-02-02 (about 10 years ago)
Added
2016-02-02 (about 10 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2026-03-30
Title
Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page
Published
2025-07-15
Title
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations < 2.0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-18
Title
flashy <= 1.2.1 - Reflected Cross-Site Scripting
Published
2025-02-24
Title
Contact Form 7 Star Rating <= 1.10 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
XSS in jobroller theme