/*! - # VULNERABILITY: Instant Images WordPress Plugin <= 4.4.0 - Authenticated Persistent XSS & XFS - # GOOGLE DORK: inurl:/wp-content/plugins/instant-images/ - # DATE: 2021-04-22 - # SECURITY RESEARCHER: m0ze [ https://m0ze.ru ] - # VENDOR: Darren Cooney [ https://connekthq.com ] - # SOFTWARE VERSION: <= 4.4.0 - # SOFTWARE LINK: https://wordpress.org/plugins/instant-images/ - # CVSS: AV:N/AC:L/PR:H/UI:N/S:C - # CWE: CWE-79 - # CVE: CVE-2021-24334 */ ### -- [ Info: ] [i] An Authenticated Persistent XSS & XFS vulnerabilities was discovered in the Instant Images plugin through v4.4.0 for WordPress. [i] Vulnerable parameter(s): $options['unsplash_download_w'] (instant-images/instant-images.php:164), $options['unsplash_download_h'] (instant-images/instant-images.php:165). ### -- [ Impact: ] [~] Malicious JavaScript code or iFrame injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. ### -- [ Payloads: ] [$] ">