The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation (WPScanTeam), the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputting user input. We contacted the vendor of the library, which issued a fix (v2.3.2) within a few hours. In the meantime, the entire WordPress plugins repository was scanned for the affected files and 4 additional plugins were identified to be affected as well
https:///tests/server/php-curl-test/post_file_path_upload.php?key=%3cimg%20src%20onerror%3dalert(%27XSS%27)%3e curl -X POST -i --data ‘’ https:///tests/server/php-curl-test/post_multidimensional.php
CPE | Name | Operator | Version |
---|---|---|---|
slider-range-htapps | lt | 1.1.6 | |
woo-qiwi-payment-gateway | eq | * | |
teamleader-form-integration | lt | 2.1.0 | |
woo-billing-with-invoicexpress | lt | 3.0.3 | |
shopello | eq | * |