The WordPress Plugin Check (PCP) plugin version 1.3.0 and below is prone to XSS / HTML injection.
XSS / HTML injection
CVSS v3.1: 6.1 (Medium)
The lack of sanitization of the error message could allow a bad actor to target the administrator reviewing a plugin by crafting a malicious string inside one of the plugin files, which would trick Plugin Check into returning unsanitized data and lead to XSS and HTML injection in the WordPress backend:
This type of XSS vulnerability targeting administrators in the WordPress backend can have severe repercussions as it can be leveraged to create an administrator account for instance.
Recommendations
Update to at least version 1.3.1.
Timeline
The vulnerability was reported to the developers team on September 1st, 2024 and escalated to the WordPress HackerOne program on December 3rd, 2024. It was eventually fixed on December 6th, 2024.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet