Wp Debugging
Monthly
Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.