Writeprint Stylometry WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Writeprint Stylometry plugin for WordPress, affecting all versions through 0.1. The issue arises from inadequate input sanitization and output escaping in the 'bjl_wprintstylo_comments_nav' function, which directly inserts the 'p' GET parameter into an HTML href attribute without proper escaping. This vulnerability allows authenticated attackers with Contributor-level permissions or higher to inject arbitrary scripts that could be executed if another user is tricked into clicking a link.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level permissions or higher can send a request that includes the 'p' GET parameter with a crafted value that contains a script injection. The injected script will be executed when the link is clicked, demonstrating the cross-site scripting vulnerability.

Remediation

No known patch is available for this vulnerability. It is recommended to uninstall the affected plugin and find a replacement.