all InfoSec news
Cross-Site Scripting in WordPress RSS Aggregator Plugin
May 14, 2024, 7:34 a.m. | Rémy Marot
Tenable Research Advisories www.tenable.com
A researcher at Tenable discovered a Cross-Site Scripting (XSS) vulnerability in the WordPress RSS Aggregator plugin.
The XSS exists because of a lack of sanitization of the 'notice_id' GET parameter.
Proof Of Concept:
The vulnerability can be reproduced by performing the following GET HTTP request against a WordPress instance using a vulnerable version of the plugin and noticing the client-side JavaScript execution :
curl 'http://WORDPRESS/wp-admin/admin-ajax.php?action=wprss_admin_notice_hide¬ice_id=onload=alert`1`>' -H 'Cookie: [subscriber cookie]'<code>
Rémy Marot
Tue, 05/14/2024 …
More from www.tenable.com / Tenable Research Advisories
Fluent Bit Memory Corruption Vulnerability
2 weeks, 1 day ago |
www.tenable.com
Cross-Site Scripting in WordPress RSS Aggregator Plugin
2 weeks, 4 days ago |
www.tenable.com
Solidus Stored Cross-Site Scripting
2 weeks, 4 days ago |
www.tenable.com
Delta Electronics DIAEnergie CEBC.exe Multiple Vulnerabilities
3 weeks, 5 days ago |
www.tenable.com
Approach.App Multiple Vulnerabilities
1 month, 1 week ago |
www.tenable.com
Path Traversal Affecting Multiple CData Products
1 month, 3 weeks ago |
www.tenable.com
Jobs in InfoSec / Cybersecurity
CyberSOC Technical Lead
@ Integrity360 | Sandyford, Dublin, Ireland
Cyber Security Strategy Consultant
@ Capco | New York City
Cyber Security Senior Consultant
@ Capco | Chicago, IL
Sr. Product Manager
@ MixMode | Remote, US
Corporate Intern - Information Security (Year Round)
@ Associated Bank | US WI Remote
Senior Offensive Security Engineer
@ CoStar Group | US-DC Washington, DC