CVE-2015-10132
Description
A vulnerability classified as problematic was found in Thimo Grauerholz WP-Spreadplugin up to 3.8.6.1 on WordPress. This vulnerability affects unknown code of the file spreadplugin.php. The manipulation of the argument Spreadplugin leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 3.8.6.6 is able to address this issue. The name of the patch is a9b9afc641854698e80aa5dd9ababfc8e0e57d69. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-261676.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP-Spreadplugin up to 3.8.6.1 has a stored XSS vulnerability via the Spreadplugin parameter, patched in 3.8.6.6.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in WP-Spreadplugin versions up to 3.8.6.1. The flaw resides in the spreadplugin.php file where user-manipulated input through the Spreadplugin argument is not properly sanitized before being output. This allows an attacker to inject arbitrary JavaScript or HTML code.
Exploitation
The attack can be performed remotely without requiring authentication. An attacker would need to supply a malicious payload via the Spreadplugin parameter, which then gets rendered in the context of the affected WordPress site. The vulnerability is triggered when a user visits a page that displays the crafted content.
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute scripts in the victim's browser within the site's security context. This can be used to steal session cookies, deface the page, or redirect users to malicious sites. The CVSS v3 score is 3.5 (Low) due to the need for user interaction and limited scope.
Mitigation
The issue is fixed in WP-Spreadplugin version 3.8.6.6 [1]. The patch is identified in commit a9b9afc [2], which sanitizes the output. Users should upgrade to the latest version; no workaround is available. The plugin repository is now archived.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.8.6.1
Patches
1a9b9afc64185One XSS vulnerability fixed
3 files changed · +7 −4
js/spreadplugin.min.js+1 −1 modified@@ -2,7 +2,7 @@ * Plugin Name: WP-Spreadplugin * Plugin URI: http://wordpress.org/extend/plugins/wp-spreadplugin/ * Description: This plugin uses the Spreadshirt API to list articles and let your customers order articles of your Spreadshirt shop using Spreadshirt order process. - * Version: 3.8.6.1 + * Version: 3.8.6.2 * Author: Thimo Grauerholz * Author URI: http://www.spreadplugin.de */
readme.txt+4 −1 modified@@ -5,7 +5,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_i Tags: spreadshirt,wordpress,plugin,shop,store,shirt,t-shirt,integration,online store,online shop Requires at least: 3.3 Tested up to: 4.1 -Stable tag: 3.8.6.1 +Stable tag: 3.8.6.2 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -195,6 +195,9 @@ Please have a look here: http://themeforest.net/category/wordpress?ref=thimo == Changelog == += 3.8.6.2 = +* One XSS vulnerability fixed + = 3.8.6 = * CSS fixes
spreadplugin.php+2 −2 modified@@ -3,7 +3,7 @@ * Plugin Name: WP-Spreadplugin * Plugin URI: http://wordpress.org/extend/plugins/wp-spreadplugin/ * Description: This plugin uses the Spreadshirt API to list articles and let your customers order articles of your Spreadshirt shop using Spreadshirt order process. - * Version: 3.8.6.1 + * Version: 3.8.6.2 * Author: Thimo Grauerholz * Author URI: http://www.spreadplugin.de */ @@ -479,7 +479,7 @@ public function Spreadplugin($atts) { $output .= "<div id=\"pagination\">"; if ($cArticleNext > 0) { - $output .= "<a href=\"" . add_query_arg('pagesp', $paged + 1) . "\">" . __('next', $this->stringTextdomain) . "</a>"; + $output .= "<a href=\"" . add_query_arg('pagesp', $paged + 1, get_permalink()) . "\">" . __('next', $this->stringTextdomain) . "</a>"; } $output .= "</div>"; } else {
Vulnerability mechanics
Root cause
"Missing base URL parameter in `add_query_arg()` call allows attacker-controlled `pagesp` value to be reflected unescaped into the pagination link HTML."
Attack vector
An authenticated attacker with the ability to craft a URL can inject a malicious `pagesp` query parameter. When a victim (e.g., a site administrator or other user) clicks the "next" pagination link generated by the vulnerable `add_query_arg` call, the attacker's payload is reflected into the page without proper neutralization [CWE-79]. The attack is performed remotely over HTTP/HTTPS and requires the victim to have an active session and to interact with the crafted link.
Affected code
The vulnerability resides in `spreadplugin.php` within the `Spreadplugin()` method, specifically in the pagination link generation at line 482. The `add_query_arg('pagesp', $paged + 1)` call was missing a base URL parameter, allowing the `pagesp` query parameter to reflect unescaped user-controlled input into the generated HTML anchor.
What the fix does
The patch adds `get_permalink()` as the third argument to `add_query_arg('pagesp', $paged + 1, get_permalink())` [patch_id=1995649]. This ensures the function builds the URL relative to the current page's canonical permalink rather than reflecting the raw `pagesp` value from the request. By providing an explicit base URL, any attacker-supplied `pagesp` value is discarded, closing the cross-site scripting vector.
Preconditions
- inputThe attacker must be able to craft a URL containing a malicious `pagesp` query parameter.
- networkA victim with an active WordPress session must click the pagination 'next' link generated by the plugin.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.