CVE-2020-28707

Name of the Vulnerable Software and Affected Versions: Stockdio Historical Chart plugin versions prior to 2.8.1

Description: The issue affects the Stockdio Historical Chart plugin for WordPress, where the origin of a postMessage() event is not validated. This allows JavaScript code from a different website to call window.open for the vulnerable WordPress instance and send a postMessage event, potentially leading to Cross Site Scripting (XSS). The stockdio eventer function listens for any postMessage event and evaluates the data.method received from the event if the data and data.method types are not undefined.

Recommendations: For versions prior to 2.8.1, update to version 2.8.1 or later to resolve the issue. As a temporary workaround, consider disabling the stockdio eventer function until a patch is available. Restrict access to the stockdio chart historical-wp.js file in the wp-content/plugins/stockdio-historical-chart/assets/ directory to minimize the risk of exploitation. Avoid using the postMessage function with unvalidated origins until the issue is resolved.