WordPress Plugin Vulnerabilities

OptinMonster < 2.6.1 - Reflected Cross-Site Scripting (XSS)

Description

The plugin was vulnerable to Reflected Cross-Site Scripting (XSS) due to insufficient input validation in the load_previews function found in the ~/OMAPI/Output.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.6.0.

Affects Plugins

Plugin icon
optinmonster
Fixed in 2.6.1

References

CVE
CVE-2021-34650
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34650
URL
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2595758%40optinmonster&new=2595758%40optinmonster&sfp_email=&sfph_mail=#file2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Mariia Aleksandrova
Submitter
Ryan
Verified
No
WPVDB ID
6c5ff583-c89f-4105-9468-39b4accb6922

Timeline

Publicly Published
2021-09-21 (about 2 years ago)
Added
2021-09-21 (about 2 years ago)
Last Updated
2022-04-10 (about 2 years ago)

Other

Published
Title
Published
2023-12-05
Title
WP Photo Album Plus < 8.6.01.005 - Cross-Site Scripting
Published
2024-03-06
Title
Booster for WooCommerce < 7.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortocde
Published
2024-01-10
Title
Voting Record <= 2.0 - Subscriber+ Stored XSS
Published
2014-08-01
Title
Your Text Manager < 0.3.0 - Cross-Site Scripting (XSS)
Published
2022-02-09
Title
Ditty (formerly Ditty News Ticker) < 3.0.15 - Reflected Cross-Site Scripting (XSS)