Multiple Plugins from Smash Balloon – Reflected Cross-Site Scripting

Description

The plugins do not properly sanitise the URL generated to dismiss the New Users notifications, leading to a reflected Cross-Site Scripting issue

Proof of Concept

When there is a notification such as a discount or review, opening the following URL as admin will trigger the XSS: https://example.com/wp-admin/tools.php?"><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 2.9.2

Fixed in 2.19.2

Fixed in 1.8.2

Fixed in 1.4.2

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

e766e165-1a05-4065-9e71-27b528641dd2

Timeline

Publicly Published

2021-07-20 (about 2 years ago)

Added

2022-06-07 (about 1 years ago)

Last Updated

2022-06-07 (about 1 years ago)

Other

Published

Title

Published

2024-03-29

Title

Weekly Class Schedule <= 3.19 - Reflected Cross-Site Scripting

Published

2023-08-14

Title

Article Directory Redux <= 1.0.2 - Admin+ Stored XSS

Published

2024-05-17

Title

Testimonial Carousel For Elementor < 10.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-11-15

Title

Security Audit <= 1.0.0 - Admin+ Stored Cross Site Scripting

Published

2015-04-16

Title

FooBox Image Lightbox <= 1.0.4 - Cross-Site Scripting (XSS)