all InfoSec news
Reflected Cross-Site Scripting in AYS Popup Box WordPress Plugin
Tenable Research Advisories www.tenable.com
A researcher at Tenable discovered an unauthenticated reflected cross-site scripting (XSS) vulnerability in the AYS Popup Box WordPress plugin.
The XSS vulnerability exists in the 'upgrade_plugin' parameter of the 'deactivate_plugin_option_pb' action, as the parameter is reflected in the response without prior filtering with a Content-Type header of text/html.
The vulnerable code was present in the function 'deactivate_plugin_option()' of the file 'admin/class-ays-pb-admin.php'.
Proof of …
action box cross-site parameter plugin popup researcher response scripting tenable vulnerability wordpress wordpress plugin xss