WordPress Plugin Vulnerabilities

Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the REQUEST_URI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
adaptive-images
Fixed in 0.6.69

References

URL
https://plugins.trac.wordpress.org/changeset/2655683

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Jan w Oleju
Submitter
Jan w Oleju
Verified
Yes
WPVDB ID
eef137af-408c-481c-8493-afe6ee2105d0

Timeline

Publicly Published
2022-01-11 (about 3 years ago)
Added
2022-01-11 (about 3 years ago)
Last Updated
2022-01-11 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
Dexs PM System 1.0.1 - Private Message subject Parameter Stored XSS
Published
2023-10-12
Title
WP ULike < 4.6.9 - Contributor+ Stored Cross Site Scripting via Shortcode
Published
2024-03-05
Title
Simple Membership < 4.4.3 - Unauthenticated Stored Self-Based Cross-Site Scripting
Published
2017-10-08
Title
Import any XML or CSV File to WordPress <= 3.4.5 - Cross-Site Scripting (XSS)
Published
2025-12-01
Title
Nexter Extension < 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode