Multiple Plugins from Smash Balloon – Reflected Cross-Site Scripting

Description

The plugins do not properly sanitise the URL generated to dismiss the New Users notifications, leading to a reflected Cross-Site Scripting issue

Proof of Concept

When there is a notification such as a discount or review, opening the following URL as admin will trigger the XSS: https://example.com/wp-admin/tools.php?"><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 2.9.2

Fixed in 2.19.2

Fixed in 1.8.2

Fixed in 1.4.2

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

e766e165-1a05-4065-9e71-27b528641dd2

Timeline

Publicly Published

2021-07-20 (about 4 years ago)

Added

2022-06-07 (about 3 years ago)

Last Updated

2022-06-07 (about 3 years ago)

Other

Published

Title

Published

2021-09-27

Title

Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting

Published

2016-05-11

Title

pondol-carousel 1.0 - Cross-Site Scripting (XSS)

Published

2025-12-31

Title

Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-10-14

Title

Job Portal <= 0.0.1 - Admin+ Stored Cross-Site Scripting

Published

2023-05-10

Title

Tiny carousel horizontal slider plus <= 3.2 - Admin+ Stored XSS