WordPress Plugin Vulnerabilities

simpleSAMLphp Authentication <= 0.7.0 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts

Affects Plugins

Plugin icon
simplesamlphp-authentication
No known fix

References

CVE
CVE-2021-38320
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38320

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
cda65567-3148-40db-bc6a-e4fca984715a

Timeline

Publicly Published
2021-09-08 (about 4 years ago)
Added
2021-09-09 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2026-03-06
Title
Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Published
2018-01-26
Title
Splashing Images <= 2.1 - Cross-Site Scripting (XSS)
Published
2025-04-07
Title
AI Autotagger < 3.30.0 - Admin+ Stored XSS
Published
2023-03-20
Title
Simple Giveaways < 2.45.1 - Admin+ Stored XSS
Published
2025-02-22
Title
Easy Charts < 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting