ThreatPress

WordPress Vulnerabilities Database

Back

WordPress ImageInject plugin 1.15 - Stored Cross-Site Scripting vulnerability

Product
ImageInject
Description
Stored Cross-Site Scripting vulnerability found by wpl0v3r in WordPress ImageInject plugin (version 1.15). Vulnerable via the flickr_appid parameter to wp-admin/options-general.php.
Solution
1/9/2018 - we were unable to find a patched version of the plugin. Dangerous to use.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
Plugin changelog
CVE
Name CVE-2018-5284
Versions
Affected In 1.15
Disclosure date
2018-01-09
Credits
wpl0v3r
Submitter
ThreatPress