Bulk Watermark - Reflected cross-site scripting (XSS)

Description

Bulk Watermark 1.6.10 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/bulk-watermark-plugin-installer.ph p.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Bulk Watermark 1.6.10. The following is the output of the tool:

Skims output

 423 | function update_mwa_plugin_installer_menu_disable_option(){
 424 | ob_clean();
 425 | check_ajax_referer( 'mywebsiteadvisor-plugin-installer-menu-disable', 'security' );
 426 |
 427 | update_option('mywebsiteadvisor_pluigin_installer_menu_disable', $_POST['checked']);
 428 |
> 429 |   echo  $_POST['checked'];
  430 |   die();
  431 |  }
      ^ Col 0

Our security policy

We have reserved the ID CVE-2025-31294 to refer to this issue from now on. Disclosure policy

System Information

• Product: Bulk Watermark

• Version: 1.6.10

Mitigation

There is currently no patch available for this vulnerability.