We recently had an attacker try to exploit a vulnerability on our website, which was blocked by our Plugin Vulnerabilities Firewall. The logging for that was as follows:

Like another reflected cross-site scripting (XSS) vulnerability the hacker was trying to exploit, we traced that back to the plugin Stock Ticker. This time, the vulnerability was actually exploitable in the way the hacker was attempting to exploit it.

The fix for the vulnerability was labeled as “Security: Fix CSS of stockticker_load,” misspelling XSS. It was fixed by sanitizing the “class” POST input using sanitize_html_class():

488

$class         = sanitize_html_class( $_POST['class'] );

Plugin Security Scorecard Grade for Stock Ticker

See issues causing the plugin to get less than A+ grade