myCred < 2.4 - Reflected Cross-Site Scripting

2021-12-2700:00:00

Krzysztof Zając

260

mycred version 2.4 cross-site scripting

EPSS

0.001

Percentile

31.7%

JSON

The plugin does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue

https://example.com/wp-admin/users.php?page=mycred_default-history&s=%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E

References

plugins.trac.wordpress.org/changeset/2648350/mycred

EPSS

0.001

Percentile

31.7%

JSON

Related for WPEX-ID:7608829D-2820-49E2-A10E-E93EB3005F68