WordPress Plugin Vulnerabilities
Project Status <= 1.6 - Reflected Cross-Site Scripting (XSS)
Description
The pspin_duplicate_post_save_as_new_post function of the plugin does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue
Proof of Concept
Open the below URL as any authenticated user https://example.com/wp-admin/admin.php?action=pspin_duplicate_post_save_as_new_post_draft&post=%3Cscript%3Ealert(document.domain)%3C/script%3E
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-24 (about 2 years ago)
Added
2021-07-24 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)