Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitRenniepakWPEX-ID:ED9D26BE-CC96-4274-A05B-0B7AD9D8CFD9
HistoryJul 27, 2021 - 12:00 a.m.

Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)

2021-07-2700:00:00
renniepak
312
JSON

The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator. Timeline (WPScanTeam): June 28th, 2021 - Details sent to vendor July 9th, 2021 - Escalated to WP due to lack of response from vendor July 27th, 2021 - No update, disclosing August 9th, 2021 - v1.3.22 released, fixing the issue

Affected parameter: json_result_url

https://example.com/wp-admin/themes.php?page=favicon-by-realfavicongenerator%2Fadmin%2Fclass-favicon-by-realfavicongenerator-admin.phpfavicon_appearance_menu&json_result_url=%3Cimg%20src=x%20onerror=alert(document.domain)%3E

Related

wpvulndb 1
patchstack 1
prion 1
cve 1
openvas 1
wpvulndb
wpvulndb
Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)
2021-07-27 00:00:00
patchstack
patchstack
WordPress Favicon plugin <= 1.3.20 - Reflected Cross-Site Scripting (XSS) vulnerability
2021-07-27 00:00:00
prion
prion
Cross site scripting
2021-08-30 15:15:00
cve
cve
CVE-2021-24437
2021-08-30 15:15:00
openvas
openvas
WordPress Favicon by RealFaviconGenerator Plugin < 1.3.22 XSS Vulnerability
2021-09-03 00:00:00
JSON
Related for WPEX-ID:ED9D26BE-CC96-4274-A05B-0B7AD9D8CFD9
wpvulndb1patchstack1prion1cve1openvas1