Title: Persistent Cross-Site Scripting
Last modified: February 7, 2017

---

# Persistent Cross-Site Scripting

 *  [advidsec](https://wordpress.org/support/users/advidsec/)
 * (@advidsec)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/persistent-cross-site-scripting/)
 * III. DESCRIPTION
    ————————- Has been detected a Persistent XSS vulnerability 
   in Easy Table, that allows the execution of arbitrary HTML/script code to be 
   executed in the context of the victim user’s browser.
 * IV. PROOF OF CONCEPT
    ————————- Malicious Request: /wordpress/wp-admin/options-
   general.php?page=easy-table
 * easy_table_plugin_option[shortcodetag]
    easy_table_plugin_option[attrtag] easy_table_plugin_option[
   class] easy_table_plugin_option[width] easy_table_plugin_option[border] easy_table_plugin_option[
   align] easy_table_plugin_option[limit] easy_table_plugin_option[nl] easy_table_plugin_option[
   terminator] easy_table_plugin_option[delimiter] easy_table_plugin_option[escape]
 * In all of this parameters an attacker can inject for example “><script>alert(
   1)</script> to perform a attack of Persistent Cross-Site Scripting.

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [pluginvulnerabilities](https://wordpress.org/support/users/pluginvulnerabilities/)
 * (@pluginvulnerabilities)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/persistent-cross-site-scripting/#post-8751682)
 * That page is only accessible to Administrator-level users and they normally are
   permitted to use the equivalent of cross-site scripting (XSS) due to them having
   the [unfiltered_html capability](https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html),
   so them being able to do what is mentioned here wouldn’t be a vulnerability on
   its own. If that could be combined with cross-site request forgery (CSRF) when
   saving those values then there would be a vulnerability, but CSRF is prevented
   with [proper use of a nonce](https://codex.wordpress.org/WordPress_Nonces). So
   there doesn’t look to be a vulnerability here, but it does look like it could
   be considered a bug.
    -  This reply was modified 9 years, 2 months ago by [pluginvulnerabilities](https://wordpress.org/support/users/pluginvulnerabilities/).
 *  Thread Starter [advidsec](https://wordpress.org/support/users/advidsec/)
 * (@advidsec)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/persistent-cross-site-scripting/#post-8756990)
 * Hello,
 * I know that the page it is only accesible with Administratos, but it is a fact
   that the page do not sanitize correctly the input validation of the parameters.
 * [https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS))
 * So think to the developer will correct the bug to prevent this “vulnerability”.
 * Regards,
 *  [pluginvulnerabilities](https://wordpress.org/support/users/pluginvulnerabilities/)
 * (@pluginvulnerabilities)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/persistent-cross-site-scripting/#post-8757687)
 * Administrator-level users are normally permitted to use the equivalent of cross-
   site scripting (XSS) due to them having the [unfiltered_html capability](https://codex.wordpress.org/Roles_and_Capabilities#unfiltered_html),
   so what they can do there wouldn’t be a vulnerability.
 * This could be considered a bug though and it looks like the plugin could be changed
   to prevent the issue from happening without it causing any problems.
 *  Thread Starter [advidsec](https://wordpress.org/support/users/advidsec/)
 * (@advidsec)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/persistent-cross-site-scripting/#post-8776921)
 * Good copy & paste, GL 🙂

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Persistent Cross-Site Scripting’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/easy-table_aeb393.svg)
 * [Easy Table](https://wordpress.org/plugins/easy-table/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/easy-table/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/easy-table/)
 * [Active Topics](https://wordpress.org/support/plugin/easy-table/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/easy-table/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/easy-table/reviews/)

 * 4 replies
 * 2 participants
 * Last reply from: [advidsec](https://wordpress.org/support/users/advidsec/)
 * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/persistent-cross-site-scripting/#post-8776921)
 * Status: not resolved