The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue
curl -H 'x-tomato: ’ ‘https://example.com/?nxs-cronrun=yes’ The XSS will be triggered in the Log/History dashboard (/wp-admin/admin.php?page=nxs-log)
CPE | Name | Operator | Version |
---|---|---|---|
social-networks-auto-poster-facebook-twitter-g | lt | 4.3.25 |