CVE-2015-9428

Name of the Vulnerable Software and Affected Versions wplegalpages plugin versions prior to 1.1

Description The issue concerns a CSRF with resultant XSS. It is exploitable via the wp-admin/admin.php?page=legal-pages endpoint with parameters such as lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche.

Recommendations For versions prior to 1.1, update to version 1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin.php?page=legal-pages endpoint to minimize the risk of exploitation. Avoid using the parameters lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche in the affected endpoint until the issue is resolved.