This report is currently private but will be published in 29 days.

WordPress My Super Plugin Plugin <= 1.0.5 is vulnerable to Cross Site Scripting (XSS)

10
Critical severity CVSS 3.1 score
29 days until published 09.06.2023

Claim ownership and start a managed Vulnerability Disclosure Program.

Apply for mVDP

Vulnerability description

Dave Jong discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress My Super Plugin Plugin to Patchstack.

How to reproduce

This vulnerability exists due to missing access control in the wp_nopriv_myaction WP AJAX action.

In order to reproduce it, send a POST payload to /wp-admin/admin-ajax.php with the follow POST parameters:

action:myaction
option:myoptionname
value:<script>alert(1)</script>

After this, the JavaScript script above will be executed on all pages.

Researcher files

No files were uploaded by the researcher.

Found this useful? Thank Dave Jong for reporting this vulnerability. Buy a coffee ☕
Software
My Super Plugin
Type
Plugin
Vulnerable versions
<= 1.0.5
CVE
Not assigned yet
Classification
Cross Site Scripting (XSS)
OWASP Top 10
A7: Cross-Site Scripting (XSS)
Required privilege
Unauthenticated
Credits
Dave Jong Dave Jong
Publicly disclosed
in 29 days
Request a security audit from our certified in-house security researchers. Request audit
Upload or provide access to a security patch in order to complete the report.

Provide link to fix

DPA Privacy Policy Terms & Conditions © 2023 Patchstack

Solutions

WordPress security Vulnerability database Vulnerability API Bug bounty program Plugin auditing

WordPress security

Pricing & features For care plans For hosts For pluginsNEW Documentation

Patchstack

About us Careers Media Kit Articles & insight Whitepaper 2022NEW

Social

Let us know if we have missed a vulnerability reported elsewhere

Report arrow right Close

Thank you for contributing!

Successfully submit vulnerabilities and receive an invite to our Alliance platform.

Learn more arrow right Close

Patch has been uploaded

Thank you for uploading the patch, we will look into the patch as soon as possible and get back at you.

Close