This report is currently private but will be published in 11 days.

WordPress Super Special Form Plugin <= 13.37 is vulnerable to Cross Site Scripting (XSS)

7.1
High severity CVSS 3.1 score
11 days until published 21.01.2023

Start a Managed Vulnerability Disclosure Program for your software.

First plugin free

Vulnerability description

Dave discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Super Special Form Plugin to Patchstack.

Researcher description

Reflected Cross Site Scripting (XSS) is possible in this plugin which makes it possible to get the document.cookie and perform other reflected XSS attack types, such as the ability to redirect the user to another domain name or execute a JavaScript file.

How to reproduce

While logged in as an administrator, visit the URL /wp-admin/?super_special=%3Cimg%20src%3d1%20onerror%3dalert(document.cookie)%3E&id=1. As it is a reflected XSS attack, some kind of social engineering attack would be required for successful exploitation.

Researcher files

No files were uploaded by the researcher.

Software
Super Special Form
Type
Plugin
Vulnerable versions
<= 13.37
CVE
Not assigned yet
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
Required privilege
Unauthenticated
Credits
Dave
Publicly disclosed
in 11 days
Upload or provide access to a security patch in order to complete the report.

Provide link to fix

Let us know if we have missed a vulnerability reported elsewhere

Report arrow right Close

Thank you for contributing!

Successfully submit vulnerabilities and receive an invite to our Alliance platform.

Learn more arrow right Close

Patch has been uploaded

Thank you for uploading the patch, we will look into the patch as soon as possible and get back at you.

Close