How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Best Payments Plugin for WP < 4.2.1 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins

Proof of Concept

As unauthenticated, on a page/post where there is a contact form created via the plugin, put the following payload in the Name, Subject and Message fields: <img src onerror=alert(/XSS/)>

The XSS will be triggered when an admin will view the related entry

Affects Plugins

wp-payment-form

Fixed in version 4.2.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Rafshanzani Suhada

Submitter

Rafshanzani Suhada

Verified

Yes

WPVDB ID

d89eff7d-a3e6-4876-aa0e-6d17e206af83

Timeline

Publicly Published

2022-08-10 (about 3 months ago)

Added

2022-08-10 (about 3 months ago)

Last Updated

2022-08-10 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin