WordPress Plugin Vulnerabilities
Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting
Description
The plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection.
Proof of Concept
Iimport a CSV file containing the following in the header: 'term<b>" autofocus onfocus={alert('Complex\u0020XSS');alert(document.cookie);}//'"
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Jack Misiura
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-12-12 (about 3 years ago)
Added
2020-12-12 (about 3 years ago)
Last Updated
2020-12-14 (about 3 years ago)