The NewStatPress plugin utilizes on lines 28 and 31 of the file ‘includes/nsp_search.php’ several variables from the $_GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger a Reflected XSS attack.
The following URL will trigger an alert box in FireFox when visited, should the user be logged in as an Administrative user. http://localhost/wp-admin/admin.php?groupby1=checked><img+src%3Dx+onerror%3Dalert(1)&page;=nsp_search&newstatpress;_action=search
CPE | Name | Operator | Version |
---|---|---|---|
newstatpress | lt | 1.0.6 |