vendor:
OneSignal
by:
LiquidWorm
5.5
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: OneSignal
Affected Version From: 1.17.5
Affected Version To: 1.17.5
Patch Exists: YES
Related CWE:
CPE: a:wordpress:onesignal:1.17.5
Platforms Tested: Linux
2019
WordPress Plugin OneSignal 1.17.5 – Persistent Cross-Site Scripting
The application suffers from an authenticated stored XSS via POST request. The issue is triggered when input passed via the POST parameter 'subdomain' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Mitigation:
Sanitize user input before returning it to the user to prevent XSS attacks.