🔍 Vulnerability Summary
The WP Publications plugin for WordPress (versions <= 1.2) is affected by a Stored Cross-Site Scripting (XSS) vulnerability.
The issue arises because filenames are not properly escaped before being rendered in the browser, allowing attackers to inject malicious JavaScript.
⚠️ Risk & Impact
- Stored XSS is executed in the admin context
- Bypasses
unfiltered_htmlrestrictions (multisite) - Can lead to session hijacking, privilege escalation, or phishing
✅ Mitigation
- Update the plugin once a patched version is available
- Until then, disable the plugin
- Restrict upload privileges to trusted users only
🔗 References
Proof of Concept (PoC)
poc.txt
<pre><code class="language-bash">touch "<img src=x onerror=alert('XSS')>.bib"</code></pre>
Then visit:
<pre><code class="language-url">https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=</code></pre>
The payload will execute in the browser context of an admin.