VULHUB ™

### Vulnerability This plugin takes input from $_GET and puts it directly into HTML without escaping it. This means that anybody who is able to convince an admin user to click on a link would be able to take control of their browser on that domain name and delete posts, add new admin users, etc.. ### Proof of concept Log in as an admin user with this plugin activated, using a browser without reflected XSS prevention (i.e. Firefox). Visit this URL: `/wp-admin/admin.php?page=dpsp-toolkit&settings-updated=1&dpsp_message_id=0&dpsp_message_class=%22%3E%3Cscript%3Ealert(1)%3C/script%3E` ### Mitigation/further actions Update to version 1.2.6 or later.

### Vulnerability This plugin takes input from $_GET and puts it directly into HTML without escaping it. This means that anybody who is able to convince an admin user to click on a link would be able to take control of their browser on that domain name and delete posts, add new admin users, etc.. ### Proof of concept Log in as an admin user with this plugin activated, using a browser without reflected XSS prevention (i.e. Firefox). Visit this URL: `/wp-admin/admin.php?page=dpsp-toolkit&settings-updated=1&dpsp_message_id=0&dpsp_message_class=%22%3E%3Cscript%3Ealert(1)%3C/script%3E` ### Mitigation/further actions Update to version 1.2.6 or later.