Reflected Cross-Site Scripting in AYS Popup Box WordPress Plugin

Aug. 3, 2023, 1:16 p.m. | Evan Grant

Tenable Research Advisories www.tenable.com

A researcher at Tenable discovered an unauthenticated reflected cross-site scripting (XSS) vulnerability in the AYS Popup Box WordPress plugin.

The XSS vulnerability exists in the 'upgrade_plugin' parameter of the 'deactivate_plugin_option_pb' action, as the parameter is reflected in the response without prior filtering with a Content-Type header of text/html.

The vulnerable code was present in the function 'deactivate_plugin_option()' of the file 'admin/class-ays-pb-admin.php'.

Proof of …

action box cross-site parameter plugin popup researcher response scripting tenable vulnerability wordpress wordpress plugin xss

Visit resource

More from www.tenable.com / Tenable Research Advisories

Fluent Bit Memory Corruption Vulnerability 2 weeks, 1 day ago | www.tenable.com

corruption memory memory corruption vulnerability

Cross-Site Scripting in WordPress RSS Aggregator Plugin 2 weeks, 4 days ago | www.tenable.com

cross-site plugin rss scripting +1

Solidus Stored Cross-Site Scripting 2 weeks, 4 days ago | www.tenable.com

cross-site inject javascript malicious +8

CyberPower PowerPanel Enterprise Power Device Network Utility Multiple Vulnerabilities 3 weeks, 2 days ago | www.tenable.com

access account action admin +42

Delta Electronics DIAEnergie CEBC.exe Multiple Vulnerabilities 3 weeks, 5 days ago | www.tenable.com

cve cve-2024 cvss delta +11

Approach.App Multiple Vulnerabilities 1 month, 1 week ago | www.tenable.com

app application exploitation management +9

Karros Technologies Authentication Bypass 1 month, 1 week ago | www.tenable.com

authentication authentication bypass bypass technologies

Ivanti Avalanche WLAvalancheService.exe Unauthenticated Heap-based Buffer Overflow 1 month, 2 weeks ago | www.tenable.com

avalanche big buffer buffer overflow +12

Path Traversal Affecting Multiple CData Products 1 month, 3 weeks ago | www.tenable.com

application attachment cookie date +14

CyberSOC Technical Lead

@ Integrity360 | Sandyford, Dublin, Ireland

View on infosec-jobs.com

Cyber Security Strategy Consultant

@ Capco | New York City

View on infosec-jobs.com

Cyber Security Senior Consultant

@ Capco | Chicago, IL

View on infosec-jobs.com

Sr. Product Manager

@ MixMode | Remote, US

View on infosec-jobs.com

Corporate Intern - Information Security (Year Round)

@ Associated Bank | US WI Remote

View on infosec-jobs.com

Senior Offensive Security Engineer

@ CoStar Group | US-DC Washington, DC

View on infosec-jobs.com

all InfoSec news

Reflected Cross-Site Scripting in AYS Popup Box WordPress Plugin

More from www.tenable.com / Tenable Research Advisories

Jobs in InfoSec / Cybersecurity

CyberSOC Technical Lead

Cyber Security Strategy Consultant

Cyber Security Senior Consultant

Sr. Product Manager

Corporate Intern - Information Security (Year Round)

Senior Offensive Security Engineer