WordPress plugin 跨站请求伪造漏洞

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. WordPress NextScripts:Social Networks Auto-Poster plugin is vulnerable to cross-site request forgery in versions prior to 4.3.25. The vulnerability stems from the fact that there is no CSRF check...

NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=nxssnap-reposter=1=delete...

NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS

The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue PoC curl -H 'x-tomato: ' 'https://example.com/?nxs-cronrun=yes' The XSS will be triggered in the Log/History dashboard...

NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS

The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue curl -H 'x-tomato: alert/XSS/;' 'https://example.com/?nxs-cronrun=yes' The XSS will be triggered in the Log/History...

NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack https://example.com/wp-admin/admin.php?page=nxssnap-reposter&item=1&action=delete...

WordPress NextScripts plugin <= 4.3.24 - Post Deletion via Cross-Site Request Forgery (CSRF) vulnerability

Post Deletion via Cross-Site Request Forgery CSRF vulnerability discovered by Krzysztof Zając in WordPress NextScripts plugin versions = 4.3.24. Solution Update the WordPress NextScripts plugin to the latest available version at least 4.3.25...

WordPress NextScripts: Social Networks Auto-Poster plugin <= 4.3.23 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress NextScripts: Social Networks Auto-Poster plugin versions = 4.3.23. Solution Update the WordPress NextScripts: Social Networks Auto-Poster plugin to the latest available version at least 4.3.24...

NextScripts Social Networks Auto-Poster Plugin for WordPress < 4.3.21 Cross-Site Scripting

The WordPress NextScripts Social Networks Auto-Poster Plugin installed on the remote host is affected by a reflected Cross-Site Scripting XSS. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...

CVE-2021-38356

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

CVE-2021-38356

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

Cross site scripting

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

CVE-2021-38356

The CVE affects the WordPress plugin NextScripts: Social Networks Auto-Poster (versions

CVE-2021-38356 NextScripts: Social Networks Auto-Poster <= 4.3.20 Reflected Cross-Site Scripting

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

CVE-2021-38356 NextScripts: Social Networks Auto-Poster <= 4.3.20 Reflected Cross-Site Scripting

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

WordPress NextScripts: Social Networks Auto-Poster 4.3.20 XSS Vulnerability

WordPress NextScripts: Social Networks Auto-Poster plugin versions 4.3.20 and below suffer from a cross site scripting vulnerability. Description: Reflected Cross-Site ScriptingXSS Affected Plugin: NextScripts: Social Networks Auto-Poster Plugin Slug: social-networks-auto-poster-facebook-twitter-...

WordPress 插件 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an open source application plugin for WordPress. The WordPress plugin suffers from a cross-sit...

NextScripts: Social Networks Auto-Poster < 4.3.21 - Reflected Cross-Site Scripting

The plugin does not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...

WordPress NextScripts: Social Networks Auto-Poster 4.3.20 XSS

Description: Reflected Cross-Site ScriptingXSS Affected Plugin: NextScripts: Social Networks Auto-Poster Plugin Slug: social-networks-auto-poster-facebook-twitter-g Affected Versions: sprintf'Edit',$REQUEST'page','edit',$item-ID, 'delete' = sprintf'Delete',$REQUEST'page','delete',$item-ID, ;...

XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site ScriptingXSS vulnerability we found in...

WordPress NextScripts: Social Networks Auto-Poster plugin <= 4.3.20 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ramuel Gall WordFence in WordPress NextScripts: Social Networks Auto-Poster plugin versions = 4.3.20. Solution Update the WordPress NextScripts: Social Networks Auto-Poster plugin to the latest available version at least 4.3.21...