Vulnerability Report Information

WordPress My Super Plugin Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

Patch immediately High priority

10.0

Critical severity CVSS 3.1 score

30 days until published 29 July, 2023

Vulnerability description

Dave Jong discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress My Super Plugin Plugin to Patchstack.

See tips for patching this kind of vulnerability

How to reproduce

This vulnerability exists due to missing access control in the wp_nopriv_myaction WP AJAX action.

In order to reproduce it, send a POST payload to /wp-admin/admin-ajax.php with the follow POST parameters:

action:myaction
option:myoptionname
value:<script>alert(1)</script>

After this, the JavaScript script above will be executed on all pages.

Additional comment by Patchstack

This is an additional comment left by the Patchstack team.

Found this useful? Thank Dave Jong for reporting this vulnerability. Buy a coffee ☕

Software

My Super Plugin

Type

Plugin

Vulnerable versions

<= 1.0.5

CVE

Not assigned yet

Classification

Cross Site Scripting (XSS)

OWASP Top 10

A7: Cross-Site Scripting (XSS)

Required privilege

Unauthenticated

Credits

Dave Jong

Publicly disclosed

in 30 days

Request a security audit from our certified in-house security researchers. Request audit

Upload or provide access to a security patch in order to complete the report.

Upload patch

WordPress My Super Plugin Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

Vulnerability description

How to reproduce

Additional comment by Patchstack

Solutions

WordPress security

Patchstack

Social

WordPress My Super Plugin Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

Vulnerability description

How to reproduce

Additional comment by Patchstack

Provide link to fix

Solutions

WordPress security

Patchstack

Social

Let us know if we have missed a vulnerability reported elsewhere

Thank you for contributing!

Patch has been uploaded