XSS vulnerability

  • drwebbe

    (@drwebbe)


    11 months, 3 weeks ago

    Hi,
    I received this warning:
    WordPress Tournamatch Plugin <= 4.6.1 – Reflected Cross Site Scripting (XSS) vulnerability

    Reflected Cross Site Scripting (XSS) vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Tournamatch (versions <= 4.6.1)
    Source: Patchstack

Viewing 1 replies (of 1 total)
  • Plugin Author Andrew Messier

    (@messyhair66)

    11 months, 2 weeks ago

    Hi There!

    I received this first back in January and evaluated what they flagged. It’s a false positive. I shared with them the code that had been marked, explained each line, and showed where the output was escaped.

    Unfortunately, they did not reply and have not taken it down.

    In their report, they [falsely] asserted that anyone could inject a malicious status into the admin URL, and since key is not escaped, the status could lead to a XSS attack. As you can see in the below screenshot, status/key is not escaped because it has only three possible values.

    View post on imgur.com
Viewing 1 replies (of 1 total)

The topic ‘XSS vulnerability’ is closed to new replies.