WordPress Plugin Give – Stored XSS for Donors

WordPress Plugin Give – Stored XSS for Donors

​​Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs.

​​During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrary code on an administrative page.

​​If you are using a version lower than 2.4.7, you should update immediately.

​​When creating a donation, all of the arguments are sanitized as text fields, but this method does not take into consideration where the variables are reflected.

Continue reading WordPress Plugin Give – Stored XSS for Donors at Sucuri Blog.

Дата: 2019-05-15 17:55:56

Источник: https://blog.sucuri.net/2019/05/wordpress-plugin-give-stored-xss-for-donors.html