Tag: plugin

Stored XSS Vulnerability found in WPForms Plugin

WPForms Plugin version 1.5.8.2 and below were found to be vulnerable to authenticated stored XSS while I was auditing the plugin. WPForms version 1.5.9 with improved data sanitization was released on March 5, 2020. CVE-2020-10385 Summary WPForms is...

CSV Injection in Export Users to CSV Plugin

Export Users to CSV is a WordPress plugin that allows website owners/admins to export users list and metadata in a CSV file. While testing the plugin, I was able to find that it is vulnerable to CSV Injection. CSV Injection, also known as Formula...

Cross-Site Request Forgery in Tutor LMS Plugin

While testing the popular WordPress LMS plugin, Tutor LMS, for one of Astra‘s clients, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are...

Reflected XSS in LearnDash WordPress Plugin

While performing a security audit on one of our client’s website, I discovered a reflected cross-site scripting (XSS) vulnerability in the WordPress LMS plugin by LearnDash. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are...

Topics