PT-2024-11712 · WordPress · Wordpress Visitors
Mohammadreza Rashidi
+1
·
Published
2024-09-26
·
Updated
2024-10-01
·
CVE-2022-4541
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WordPress Visitors plugin for WordPress version 1.0
Description
The WordPress Visitors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a spoofed HTTP Header value due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the nm vistior page.
Recommendations
For version 1.0, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the nm vistior page to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress Visitors