Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress WP-Invoice 4.3.1 Cross Site Scripting

WordPress WP-Invoice plugin version 4.3.1 suffers from a persistent cross site scripting vulnerability.

Packet Storm
#xss#vulnerability#wordpress#php#auth
# Exploit Title: WordPress Plugin  WP-Invoice - Stored Cross Site Scripting# Date: 25-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/WP-Invoice/# Version: 4.3.1# Tested on: Firefox# Contact me: [email protected]# Vulnerable Code:``` wpi.business_name = '<?php echo ($wpi_settings['business_name']); ?>';``# POC1.  Install the WP-Invoice WordPress plugin and activate it.2. Go to WP-Invoice settings  and inside the Business Name field inject XSSpayload “><img src=x onerror=alert(1)>3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/rsHIEO9

Related news

CVE-2021-36867: WordPress Psychological tests & quizzes plugin <= 0.21.19 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights.

WordPress Coru LFMember 1.0.2 Cross Site Scripting

WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.

Gitlab 14.9 Cross Site Scripting

Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.

SecurityScorecard Launches Cyber Risk Quantification Portfolio

SecurityScorecard's Cyber Risk Quantification portfolio helps customers understand the financial impact of a cyber-attack.

Firms Push for CVE-Like Cloud Bug System

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Packet Storm: Latest News

Scapy Packet Manipulation Tool 2.6.1