This report is currently private but will be published in 30 days.

WordPress My Super Plugin Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

Patch immediately High priority
10.0
Critical severity CVSS 3.1 score
30 days until published 29 July, 2023

Vulnerability description

Dave Jong discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress My Super Plugin Plugin to Patchstack.

See tips for patching this kind of vulnerability

How to reproduce

This vulnerability exists due to missing access control in the wp_nopriv_myaction WP AJAX action.

In order to reproduce it, send a POST payload to /wp-admin/admin-ajax.php with the follow POST parameters:

action:myaction
option:myoptionname
value:<script>alert(1)</script>

After this, the JavaScript script above will be executed on all pages.

Additional comment by Patchstack

This is an additional comment left by the Patchstack team.

Found this useful? Thank Dave Jong for reporting this vulnerability. Buy a coffee ☕
Software
My Super Plugin
Type
Plugin
Vulnerable versions
<= 1.0.5
CVE
Not assigned yet
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
Required privilege
Unauthenticated
Credits
Dave Jong Dave Jong
Publicly disclosed
in 30 days
Request a security audit from our certified in-house security researchers. Request audit
Upload or provide access to a security patch in order to complete the report.

Provide link to fix

Let us know if we have missed a vulnerability reported elsewhere

Report arrow right Close

Thank you for contributing!

Successfully submit vulnerabilities and receive an invite to our Alliance platform.

Learn more arrow right Close

Patch has been uploaded

Thank you for uploading the patch, we will look into the patch as soon as possible and get back at you.

Close