WordPress Plugin Vulnerabilities

360 Product Rotation <= 1.5.8 - Reflected XSS

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Proof of Concept

Affects Plugins

Plugin icon
360-product-rotation
No known fix

References

CVE
CVE-2024-13823

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Hassan Khan Yusufzai - Splint3r7
Submitter
Hassan Khan Yusufzai - Splint3r7
Submitter website
https://hassankhanyusufzai.com
Submitter twitter
Splint3r7
Verified
Yes
WPVDB ID
dcfd8a03-0a04-4fd1-986d-1e816b1fad19

Timeline

Publicly Published
2024-12-26 (about 1 year ago)
Added
2025-02-11 (about 10 months ago)
Last Updated
2025-02-11 (about 10 months ago)

Other

Published
Title
Published
2024-09-09
Title
The Post Grid < 7.5.0 - Editor+ Stored XSS via Grid Creation
Published
2025-07-16
Title
Bold Page Builder < 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-19
Title
WPAdverts < 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-10
Title
Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-04-28
Title
WP-CORS < 0.2.2 - Admin+ Stored XSS