

Advisories

Easy Code Snippets - Reflected cross-site scripting (XSS)

Severity pending

Detected by

Fluid Attacks SAST Scanner

Disclosed by

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Easy Code Snippets 1.0. - Reflected cross-site scripting (XSS)

Code name

skims-62

State

Private

Release date

6 dic 2024

Affected product

Easy Code Snippets

Affected version(s)

Version 1.0.

Vulnerability name

Reflected cross-site scripting (XSS)

Vulnerability type

008. Reflected cross-site scripting (XSS)

Remotely exploitable

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:U

Exploit available

CVE ID(s)

CVE-2025-22626

Description

Easy Code Snippets 1.0. was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/includes/admin/forms/class-wpcs-sn ippet-list.php.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Easy Code Snippets 1.0.. The following is the output of the tool:

Skims output

 362 | 'page']) && $_GET['page'] == 'ecsnippets-snippets' && $total_snippet >= '5' ) {
 363 | = '<div class=""error settings-error"" id=""setting-error-""><p><strong>'.__( 'You can add maximun five snippets, to add more
 364 | sage;
 365 |
 366 | l = add_query_arg( array(
 367 | nippets-snippets',
 368 | dd-new-snippet'
 369 |
 370 | echo esc_url($new_snippet_Url); ?>"" class=""page-title-action"">
 371 | New Snippet', 'ecsnippets' ); ?>
 372 |
 373 |
 374 |
 375 |
> 376 | en"" name=""page"" value=""<?php echo $_REQUEST['page'] ?>"" />
 377 | ets -->
 378 | stTable->search_box( __( 'Search Snippets', 'ecsnippets' ), 'ecsnippets_ltable_search' ); ?>
 379 | ender the completed list table -->
 380 | stTable->display(); ?>
  381 |
  382 |
      ^ Col 19

Our security policy

We have reserved the ID CVE-2025-22626 to refer to this issue from now on.

Disclosure policy

System Information

Version: Easy Code Snippets 1.0.

Mitigation

There is currently no patch available for this vulnerability.

Timeline



IA generativa

6 dic 2024



Public disclosure

7 ene 2025

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Contactar a ventas

Prueba gratis

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.