CVE-2019-14470

Name of the Vulnerable Software and Affected Versions cosenary Instagram-PHP-API (aka Instagram PHP API V2) as used in the UserPro plugin through 4.9.32 for WordPress

Description The issue is related to cross-site scripting (XSS) via the error description parameter in the example/success.php file. This allows for potential exploitation. The vulnerable code snippet is:

if (isset($ GET['error'])) {
  echo 'An error occurred: ' . $ GET['error description'];
}

A proof-of-concept exploit is demonstrated using the URL https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error description=<PAYLOAD>.

Recommendations For the UserPro plugin through 4.9.32 for WordPress, consider disabling the example/success.php file or restricting access to it until a patch is available. Avoid using the error description parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.