XSS in Duplicate Post 2.4.1


Last revised:

This plugin contains a reflected XSS vulnerability which can be used against admin users.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 7.5 High
Vector Network
Complexity Low
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Works in browsers that don’t attempt to block reflected XSS:


Advisory timeline

  • 2013-10-29: Discovered
  • 2014-02-26: Reported
  • 2014-03-17: Updated version discovered which reports issue fixed.

Mitigation/further actions

Upgrade immediately.