CVE-2019-19133

Name of the Vulnerable Software and Affected Versions CSS Hero plugin versions prior to 4.0.4

Description The issue is related to reflected XSS via the URI in a csshero action=edit page request. It occurs because the plugin fails to sufficiently sanitize user-supplied input, allowing an attacker to execute arbitrary JavaScript in the browser of an unsuspecting user. This could enable the attacker to steal cookies or launch other attacks.

Recommendations For CSS Hero plugin versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the csshero action=edit page request to minimize the risk of exploitation.