Description The plugin does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks.
curl https://example.com -H 'X-Forwarded-For: ’ Then, as a high-privileged user, visit
/wp-admin/index.php?page=useronline
CPE | Name | Operator | Version |
---|---|---|---|
eq | 2.88.3 |