WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS

The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.

N/A

N/A

WordPress Plugin WP VR 安全漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin WP VR 8.3.15 版本之前存在安全漏洞，该漏洞源于在挂钩到 admin_init 的函数中没有授权和跨站请求伪造验证，允许未经身份验证的用户降级插件，从而导致反射型或存储型跨站脚本因为以前的版本存在此类漏洞。

N/A

N/A