File Manager < 3.0 - Authenticated Reflected Cross-Site Scripting (XSS)

2018-09-0600:00:00

Ryan Dewhurst

0.001 Low

EPSS

Percentile

34.1%

JSON

Lack of sanitisation in the lang parameter in the admin dashboard could allow attacker to perform reflected XSS attacks against logged in administrators

https://example.com/wp-admin/admin.php?page=wp_file_manager&lang=zh_CN</script><script>alert(`XSS`)</script>

References

blog.51cto.com/010bjsoft/2171087

plugins.trac.wordpress.org/changeset/1936043

wordpress.org/support/topic/security-concern-6/#post-10655739

0.001 Low

EPSS

Percentile

34.1%

JSON

Related for WPEX-ID:65E4849B-6517-400D-884F-65234F58AB0C