WordPress Plugin Vulnerabilities

Software License Manager < 4.4.8 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
software-license-manager
Fixed in 4.4.8

References

CVE
CVE-2021-24560

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
iohex
Submitter
iohex
Submitter twitter
iohehe
Verified
Yes
WPVDB ID
d51fcd97-e535-42dd-997a-edc2f5f12269

Timeline

Publicly Published
2021-08-11 (about 4 years ago)
Added
2021-08-11 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2025-04-11
Title
WP Easy Poll <= 2.2.9 - Reflected Cross-Site Scripting
Published
2024-05-29
Title
Testimonial Carousel For Elementor < 10.2.3 - Contributor+ Stored XSS
Published
2025-06-24
Title
SiteOrigin Widgets Bundle < 1.69.0 - Contributor+ Stored XSS via `data-url` DOM Element Attribute
Published
2023-02-20
Title
ProfilePress < 4.5.5 - Contributor+ Stored XSS
Published
2015-04-20
Title
Give - Cross-Site Scripting (XSS)