WP Product Review < 3.7.6 - Unauthenticated Stored Cross-Site Scripting (XSS)



Description
"All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products."

Affects Plugin

fixed in version 3.7.6

References

URL https://labs.sucuri.net/unauthenticated-stored-cross-site-scripting-in-wp-support-review/
URL https://plugins.trac.wordpress.org/changeset/2304778/wp-product-review

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher John Castro (Sucuri)
Views 730
Verified No
WPVDB ID 10226

Timeline

Publicly Published 2020-05-14 (12 days ago)
Added 2020-05-14 (11 days ago)
Last Updated 2020-05-15 (10 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin