These issues can be exploited by hackers to execute arbitrary script code in user’s browser. A attacker can expose user’s data through a SQL injection, for example. In certain cases, these issues lead to Remote code execution (RCE). You can read more details about this issue here. This is a serious issue for users as it can lead to identity theft or other information leaks. You should update the plugin to its latest version as soon as possible. If you haven’t updated the plugin for a long time, you should do that too.
2. Unsafe handling of user’s data through SQL Injection (XSS) in WHA Crossword plugin = 1.1.10 at WordPress.
If you use WHA Crossword plugin, you should update it to its latest version as soon as possible. This is a serious issue for users as it can lead to identity theft or other information leaks. You should update the plugin to its latest version as soon as possible. If you haven’t updated the plugin for a long time, you should do that too.
3. Unsafe handling of user’s data through SQL Injection (XSS) in WHA Crossword plugin = 1.1.10 at WordPress.
These issues can be exploited by hackers to execute arbitrary script code in user’s browser. A attacker can expose user’s data through a SQL injection, for example
What is a SQL Injection?
SQL Injection is a type of injection attack that forces data to be sent to a database server, rather than the one that it is supposed to go to. This can be achieved by including special characters in the input fields of web forms or URLs, which causes unintended SQL commands to be executed on the back end. For example, if you had a parameter called id in your URL like this:
https://yourwebsite.com/w/yourapi?id=123456
And then instead of just 123456, you were able to add an extra comma:
https://yourwebsite.com/w/yourapi?id=123456789
Obviously, the website would now send 123456789 over to your database for processing.
What is the WHA Crossword plugin?
This is a plugin for the WordPress CMS that provides crossword puzzle solutions on your website.
4. Unsafe handling of user’s data through SQL Injection (XSS) in WHA Crossword plugin = 1.1.10 at WordPress.
How did we test WHA Crossword plugin for XSS?
1. Open WHA Crossword plugin in our browser
2. Change the input value of “Search by…” to a search term that will trigger the XSS issue
3. The text is displayed on the page
4. Click the link and open it in our browser
5. Notice that user’s data is exposed
6. Click on another link to verify that user’s data stays exposed
Timeline
Published on: 09/21/2022 20:15:00 UTC
Last modified on: 09/23/2022 16:53:00 UTC