Cross Site Scripting Vulnerability in Stockdio Historical Chart Plugin for WordPress
CVE-2020-28707

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Stockdio Historical Chart
Vendor
CVE Published:
19 January 2021

Summary

The Stockdio Historical Chart plugin prior to version 2.8.1 for WordPress is susceptible to Cross Site Scripting (XSS) due to inadequate validation of the origin of postMessage() events. This vulnerability occurs in the stockdio_chart_historical-wp.js file, where the stockdio_eventer function listens for incoming postMessage events. If an attacker sends a crafted message from another origin, the function may incorrectly execute arbitrary JavaScript code by evaluating the received data.method value. This flaw can enable malicious scripts to be executed in the context of the affected WordPress site, potentially compromising user data and site integrity.

References

http://stockdio.com
x_refsource_MISC
https://wordpress.org/plugins/stockdio-historical-chart/#...
x_refsource_CONFIRM
https://jondow.eu/cve-2020-28707-xss-in-stockdio-historic...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.