Outdated php-mod/curl Library - Unauthenticated Reflected Cross-Site Scripting (XSS)

The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation (WPScanTeam), the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputting user input. We contacted the vendor of the library, which issued a fix (v2.3.2) within a few hours. In the meantime, the entire WordPress plugins repository was scanned for the affected files and 4 additional plugins were identified to be affected as well

PoC

https:///tests/server/php-curl-test/post_file_path_upload.php?key=%3cimg%20src%20onerror%3dalert(%27XSS%27)%3e curl -X POST -i --data ‘’ https:///tests/server/php-curl-test/post_multidimensional.php