VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 13, 2019· Updated Aug 6, 2024

CVE-2016-10867

CVE-2016-10867

Description

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in settings pages of the All-in-One WP Security & Firewall plugin before version 4.0.6 for WordPress.

Vulnerability

The All-in-One WP Security & Firewall plugin for WordPress, versions before 4.0.6, contains a cross-site scripting (XSS) vulnerability in its settings pages. The flaw allows an attacker to inject arbitrary web scripts or HTML via the plugin's administrative interface. [1]

Exploitation

An attacker with access to the WordPress admin panel (e.g., an administrator or a user with sufficient privileges to modify plugin settings) can inject malicious scripts into input fields on the settings pages. When the settings are saved and subsequently viewed, the injected script executes in the context of the admin's browser session. [1]

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the affected admin's session. This could lead to session hijacking, defacement, or further compromise of the WordPress site, such as creating new admin accounts or modifying site content. [1]

Mitigation

Update the All-in-One WP Security & Firewall plugin to version 4.0.6 or later, which fixes the XSS vulnerability. No workarounds are documented in the available references. [1]

References
  1. All-In-One Security (AIOS) – Security and Firewall

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.