Home

Description

The Injection Guard WordPress plugin before 1.2.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

PUBLISHED Reserved 2025-07-22 | Published 2025-08-14 | Updated 2025-08-14 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 1.2.8
affected

Credits

Bob Matyas finder

WPScan coordinator

References

wpscan.com/...rability/14a53525-8c08-472d-bae4-b3f14368b802/ exploit vdb-entry technical-description

cve.org (CVE-2025-8046)

nvd.nist.gov (CVE-2025-8046)

Download JSON