WebDevStudios taxonomy-switcher Plugin taxonomy-switcher.php taxonomy_switcher_init cross site scripting
Description
A vulnerability was found in WebDevStudios taxonomy-switcher Plugin up to 1.0.3 on WordPress. It has been classified as problematic. Affected is the function taxonomy_switcher_init of the file taxonomy-switcher.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.4 is able to address this issue. It is recommended to upgrade the affected component. VDB-217446 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.0.3
- WebDevStudios/taxonomy-switcher Pluginv5Range: 1.0.0
Patches
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied input before passing it to a redirect function."
Attack vector
An attacker can exploit this vulnerability by manipulating the query string of a URL. This manipulation allows for the injection of malicious script, leading to a cross-site scripting attack. The attack can be launched remotely, requiring no special privileges beyond the ability to craft a malicious URL. The vulnerability is present in versions up to 1.0.3 of the taxonomy-switcher plugin [ref_id=1].
Affected code
The vulnerability resides in the `taxonomy_switcher_init` function within the `taxonomy-switcher.php` file. The specific line of code affected is where `wp_redirect` is called with arguments constructed using `add_query_arg`. The patch modifies this line to include proper sanitization [ref_id=1][patch_id=4375334].
What the fix does
The patch addresses the vulnerability by ensuring that user-supplied input is properly escaped before being used in a URL. Specifically, the `esc_url_raw()` function is now used to sanitize the arguments passed to `add_query_arg()`, preventing the injection of malicious scripts. This change ensures that any potentially harmful characters in the query string are neutralized, thus mitigating the cross-site scripting risk [ref_id=1][patch_id=4375334].
Preconditions
- inputThe attacker must be able to control parts of the URL's query string.
- configThe taxonomy-switcher plugin must be installed and active on the WordPress site, and the version must be 1.0.3 or earlier.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/WebDevStudios/taxonomy-switcher/commit/e1a0d99f936e7427b31e210c67aeb4833d804099mitrepatch
- github.com/WebDevStudios/taxonomy-switcher/releases/tag/1.0.4mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.