View All Posts Page Plugin view-all-posts-pages.php action_admin_notices_activation cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in View All Posts Page Plugin up to 0.9.0 on WordPress. This issue affects the function action_admin_notices_activation of the file view-all-posts-pages.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.9.1 is able to address this issue. The patch is named bf914f3a59063fa4df8fd4925ae18a5d852396d7. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-233363.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/View All Posts Page Plugindescription
- Range: <=0.9.0
Patches
Vulnerability mechanics
Root cause
"The function `add_query_arg()` was misused, allowing for cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by manipulating the URL to inject malicious scripts. The vulnerability lies within the `action_admin_notices_activation` function in the `view-all-posts-pages.php` file. By crafting a specific URL, an attacker can trigger the cross-site scripting flaw, potentially leading to unauthorized actions or information disclosure. The attack can be initiated remotely, requiring no special privileges beyond the ability to send a crafted URL to a user or the server. [ref_id=1]
Affected code
The vulnerability is located in the `action_admin_notices_activation` function within the file `view-all-posts-pages.php`. The specific lines affected involve the use of `admin_url( add_query_arg( $this->notice_key, 1, 'index.php' ) )`, where the output was not properly escaped. The patch modifies these lines to use `esc_url( admin_url( add_query_arg( $this->notice_key, 1, 'index.php' ) ) )`. [patch_id=4375436]
What the fix does
The patch addresses the vulnerability by correctly escaping the URL arguments passed to `admin_url()` within the `action_admin_notices_activation` function. Specifically, the `add_query_arg()` function's output is now properly sanitized using `esc_url()`. This prevents the injection of malicious script payloads into the URL, thereby mitigating the cross-site scripting risk. The change ensures that user-supplied data within query arguments does not lead to unintended script execution. [patch_id=4375436]
Preconditions
- inputThe attacker must be able to send a crafted URL to the victim.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/wp-plugins/view-all-posts-pages/commit/bf914f3a59063fa4df8fd4925ae18a5d852396d7mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.