WordPress Plugin Vulnerabilities

Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters

Description

An authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.

Proof of Concept

Affects Plugins

Plugin icon
rencontre
Fixed in 3.2

References

URL
https://gist.github.com/Sathishshan/6c67d0fc2305ae87bb5179a483aa7895

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Sathish Shan
Submitter
Sathish Shan
Submitter website
https://medium.com/@sathish_shan
Submitter twitter
sathishshans
Verified
No
WPVDB ID
e1438038-dd33-45b4-9b3e-6376fa32b063

Timeline

Publicly Published
2019-08-04 (about 6 years ago)
Added
2019-12-08 (about 6 years ago)
Last Updated
2019-12-09 (about 6 years ago)

Other

Published
Title
Published
2024-04-09
Title
Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via "Price List" Element
Published
2026-02-17
Title
VK All in One Expansion Unit < 9.112.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via SNS Title
Published
2023-11-13
Title
BSK Contact Form 7 Blacklist <= 1.0.1 - Reflected Cross-Site Scripting
Published
2025-02-03
Title
Google Earth Embed <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-10
Title
WPUpper Share Buttons < 3.43 - Admin+ Stored XSS