WordPress Plugin Vulnerabilities

Multiple Plugins from Avirtum - Reflected Cross-Site Scripting

Description

Most plugins (both free and premium) from the Avirtum author do not escape a page parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues.

The issues were reported to the vendor on August 4th, 2021

Proof of Concept

Affects Plugins

Plugin icon
ipanorama-360-virtual-tour-builder-lite
Fixed in 1.6.22
Plugin icon
vision
Fixed in 1.5.2
Plugin icon
ipages-flipbook
Fixed in 1.4.3
Plugin icon
imagelinks-interactive-image-builder-lite
Fixed in 1.5.3
Plugin icon
easy-custom-js-and-css
No known fix
Plugin icon
ipanorama-pro
Fixed in 1.6.22
Plugin icon
imagelinks-pro
Fixed in 1.5.3
Plugin icon
ipages-flipbook-pro
Fixed in 1.4.3
Plugin icon
vision-pro
Fixed in 1.5.2
Plugin icon
easy-custom-js-and-css-pro
No known fix

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
dfa607af-6595-4906-95a0-1010859b6ce1

Timeline

Publicly Published
2021-10-11 (about 4 years ago)
Added
2021-10-11 (about 4 years ago)
Last Updated
2022-09-27 (about 3 years ago)

Other

Published
Title
Published
2025-02-12
Title
LTL Freight Quotes – Unishippers Edition < 2.5.9 - Reflected Cross-Site Scripting
Published
2022-04-11
Title
Fast Flow < 1.2.12 - Reflected Cross-Site Scripting
Published
2025-07-18
Title
LeadBI Plugin for WordPress <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2024-06-06
Title
Rife Free < 2.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2017-12-05
Title
WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS)