Cross Site Scripting Vulnerability in Stockdio Historical Chart Plugin for WordPress
CVE-2020-28707

6.1MEDIUM

Key Information:

Vendor

Wordpress
Status
Stockdio Historical Chart
Vendor
CVE Published:
19 January 2021

What is CVE-2020-28707?

The Stockdio Historical Chart plugin prior to version 2.8.1 for WordPress is susceptible to Cross Site Scripting (XSS) due to inadequate validation of the origin of postMessage() events. This vulnerability occurs in the stockdio_chart_historical-wp.js file, where the stockdio_eventer function listens for incoming postMessage events. If an attacker sends a crafted message from another origin, the function may incorrectly execute arbitrary JavaScript code by evaluating the received data.method value. This flaw can enable malicious scripts to be executed in the context of the affected WordPress site, potentially compromising user data and site integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://stockdio.com
x_refsource_MISC
https://wordpress.org/plugins/stockdio-historical-chart/#...
x_refsource_CONFIRM
https://jondow.eu/cve-2020-28707-xss-in-stockdio-historic...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.