Login

Tag Archives: Authenticated Persistent Cross-Site Scripting (XSS)

9 Jan 2023

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in iubenda

Recently we detailed a privilege escalation vulnerability that had been in the WordPress plugin iubenda after seeing a hacker probing for the plugin. It turns out the hacker might have been targeting another vulnerability in the plugin, which had been fixed alongside that vulnerability.

[Read more]

21 Dec 2022

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Meteor Slides

The WordPress plugin Menteor Slides was closed on the WordPress Plugin Directory yesterday. As at least one customer of ours is using the plugin, we were alerted to the closure. No explanation has been given for the closure, but we found that it contains an authenticated persistent cross-site scripting vulnerability. Which, according to WPScan, was already found by Lana Codes. That vulnerability is caused by the plugin’s shortcode functionality.

[Read more]

7 Dec 2022

Patchstack Isn’t Verifying Vulnerability Info Being Copied From WPScan’s Inaccurate Data

Yesterday, we noted that the WordPress security provider WPScan isn’t verifying claimed vulnerabilities being added to their data set, despite claiming to do just that. That came in the context of them claiming that there was a vulnerability in a plugin, where what they claimed was at issue wasn’t really a vulnerability, but there really was a more serious vulnerability. That wasn’t a one-off issue.

WPScan recently claimed that the plugin Popup Maker had contained an admin+ stored cross site scripting vulnerability, which they described this way: [Read more]

22 Oct 2022

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Image Hover Effects

The commit message for the latest change made to the WordPress plugin Image Hover Effects is “fixed Vulnerability issue”. As at least one of our customers is using the plugin, we checked over the change made. What we found is that it didn’t appear to fix a vulnerability, but there is a serious vulnerability connected with the code that was being changed.

[Read more]