Search What is Detectify?
×

Test your site for the latest WordPress plugin XSS vulnerabilities

September 20, 2017

We have recently added a bunch of new security tests to Detectify, so you can now check your WordPress site for XSS vulnerabilities in popular plugins like Ninja Forms and Loco Translate. If you’re using one (or more) of the plugins listed below, make sure to run a new Detectify scan to see if your site is vulnerable.

What happens if an attacker exploits an XSS vulnerability?

XSS can be used to steal cookies, perform phishing attacks and tabnabbing, all of which can lead to stolen information and hijacked accounts.

New WordPress plugin XSS vulnerabilities

Our new WordPress XSS security tests

WooCommerce PDF Invoices & Packing Slips Authenticated XSS (v. 2.0.9)
The plugin is vulnerable to authenticated reflected XSS via the ‘tab’ parameter.

Ninja Forms Authenticated XSS (prior to v. 3.1.9)
Ninja Forms is a popular web form plugin that has over 900.000 installs on WordPress. Versions prior to v. 3.1.9 are vulnerable to authenticated reflected XSS. The vulnerability was submitted to Detectify Crowdsource as a 0-day, but is now patched.

Anti-Malware Security and Brute-Force Firewall Authenticated XSS (v. 4.17.29)
The Anti-Malware Security and Brute-Force Firewall plugin is vulnerable to authenticated reflected XSS via the ‘GOTMLS_mt’ parameter.

Pretty Links Authenticated XSS (v. 2.1.2)
The plugin is vulnerable to authenticated reflected XSS via the ‘message’ parameter.

Loco Translate Authenticated XSS (v. 2.0.15)
This version of the Loco Translate plugin is vulnerable to authenticated reflected XSS via the translation filter bypass.

Google Pagespeed Insights Authenticated XSS (v. 3.0.0)
Performance plugin Google Pagespeed Insights is vulnerable to authenticated reflected XSS via the ‘filter’ parameter.

Booking Calendar Authenticated XSS (v. 2.0.9)
The plugin is vulnerable to authenticated reflected XSS via the tab_cvm parameter.

Crelly Slider Authenticated XSS (prior to v. 1.2.2)
The Crelly Slider plugin is vulnerable to authenticated reflected XSS via the id parameter.

Pinfinity XSS (prior to v. 1.9.2)
The popular WordPress theme Pinfinity is vulnerable to reflected XSS via the ‘s’ (search) parameter.

How to check if you are vulnerable

If you think your site might be affected, simply log in to your Detectify account, click on your Scan profile and start a new scan. All security issues the scanner discovers will be listed in your scan report.

Start a scan and identify XSS vulnerabilities on your WordPress site

Start a scan to identify XSS vulnerabilities on your WordPress site

Stay safe!

The Detectify team

Check your website for the latest vulnerabilities Run a scan