The plugin was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.
http://127.0.0.1:8001/?search-submit={img%20src%20onerror=alert(1)} Then the admin neds to browse http://127.0.0.1:8001/wp-admin/admin.php?page=wppa_options&wppa-tab=miscadv and show the content of error log in the "logging" section.
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-02 (about 1 years ago)
2022-01-14 (about 1 years ago)
2022-04-12 (about 9 months ago)