ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Dark Mode plugin <=1.6 - Multiple stored Cross-Site Scripting (XSS) vulnerabilities

Product
Dark Mode
Description
Multiple stored Cross-Site Scripting (XSS) vulnerabilities found by d4wner in WordPress Dark Mode plugin (versions <=1.6). XSS exists via the wp-admin/profile.php dark_mode_start parameter and dark_mode_end parameter.
Solution
Update the WordPress Dark Mode plugin to the latest available version (at least 1.7).
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
Plugin changelog
CVE
Name CVE-2018-5651, 2018-5652
Versions
Affected In <=1.6
Fixed In 1.7
Disclosure date
2018-01-22
Credits
d4wner
Submitter
ThreatPress