• anderswihlgaard

    (@anderswihlgaard)


    DescriptionThe plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

    Proof of Concept
    [h5ap_inline_player src=”invalid’ onerror=’alert(1)'”]

    Information from Wpscan

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘need a updates’ is closed to new replies.