WordPress Plugin Vulnerabilities
iFlyChat – WordPress Chat < 4.7.0 - Admin+ Stored Cross-Site Scripting (XSS)
Description
The plugin does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue
Proof of Concept
Enter the following payload in the "APP ID" field of the plugin settings (wp-admin/options-general.php?page=iflychat_settings): +xss"/><script>alert(1)</script>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Kishore Hariram
Submitter
kishore hariram
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-24 (about 3 years ago)
Added
2021-05-24 (about 3 years ago)
Last Updated
2022-02-02 (about 2 years ago)