WordPress Adivaha Travel Plugin Reflected Cross-Site Scripting Vulnerability
Vulnerability
A reflected cross-site scripting vulnerability has been identified in the WordPress Adivaha Travel Plugin version 2.3. This vulnerability allows unauthenticated attackers to inject malicious scripts by manipulating the 'isMobile' parameter. Exploitation occurs at the '/mobile-app/v3/' endpoint, where attackers can craft URLs containing JavaScript payloads that, when accessed by victims, execute arbitrary code in their browsers. This could lead to the theft of session tokens or credentials.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, send a link containing a malicious payload in the 'isMobile' GET parameter to a victim. The payload should be crafted to include JavaScript, such as an alert, which will execute when the link is clicked.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.