WPFront User Role Editor < 3.2.1.11184 - Reflected Cross-Site Scripting

2021-11-2300:00:00

JrXnm

wpscan.com

wpfront user role editor

plugin vulnerability

cross-site scripting

EPSS

0.001

Percentile

41.1%

JSON

The plugin does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

PoC

https://example.com/wp-admin/admin.php?page=wpfront-user-role-editor-bulk-edit&screen;=add-remove-cap&submit;=Next+Step&changes-saved;=<script>alert(/XSS/)<%2Fscript>

EPSS

0.001

Percentile

41.1%

JSON

Related for WPVDB-ID:96BB2FBA-4B18-4C29-8344-3BA4D2F06A19