CVE-2016-1000154
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Guideline Violation), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Reflected XSS in wordpress plugin whizz v1.0.7
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in WordPress plugin WHIZZ v1.0.7 allows arbitrary script execution via crafted URL.
Vulnerability
Reflected Cross-Site Scripting (XSS) exists in WordPress plugin WHIZZ version 1.0.7. The plugin fails to properly sanitize user input before including it in page output, allowing an attacker to inject arbitrary JavaScript or HTML via a crafted URL. The vulnerability affects the whizz plugin version 1.0.7, which was hosted on the WordPress.org plugin directory until its closure [1][2].
Exploitation
An attacker can exploit this flaw by tricking a logged-in WordPress administrator into clicking a malicious link that contains the XSS payload. No authentication is required for the attacker, but the victim user must have the ability to manage WordPress settings to fully leverage the attack. The XSS payload executes in the context of the victim's browser session with the WordPress site, enabling the attacker to perform actions on behalf of the victim [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, defacement, or theft of sensitive data (e.g., cookies, authentication tokens). The attacker could potentially gain administrative-level access to the WordPress instance if the victim has elevated privileges. The impact is limited to the scope of the affected WordPress site and the victim's session [1][2].
Mitigation
The WHIZZ plugin has been closed and removed from the WordPress.org plugin directory as of December 3, 2025 due to a Guideline Violation, and no patched version is available. Users who have this plugin installed should uninstall it immediately to prevent any potential exploitation. There is no official fix or workaround provided by the plugin author [1][2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 1.0.7
Package: https://wordpress.org/plugins/whizz
Patches
0whizzThis plugin has been removed from the WordPress.org directory on 2025-12-03 (reason: Guideline Violation). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.vapidlabs.com/wp/wp_advisory.phpnvdExploitThird Party Advisory
- wordpress.org/plugins/whizznvdProduct
- www.securityfocus.com/bid/93538nvd
News mentions
0No linked articles in our index yet.