WangGuard Plugin WGG User List wangguard-user-info.php wangguard_users_info cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in WangGuard Plugin 1.8.0 on WordPress. Affected by this issue is the function wangguard_users_info of the file wangguard-user-info.php of the component WGG User List Handler. The manipulation of the argument userIP leads to cross site scripting. The attack may be launched remotely. The patch is identified as 88414951e30773c8d2ec13b99642688284bf3189. It is recommended to apply a patch to fix this issue. VDB-220214 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The user IP parameter was not properly sanitized before being included in a URL, allowing for cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by manipulating the 'userIP' argument in a crafted URL. This crafted URL, when accessed by a victim, will execute arbitrary JavaScript in the victim's browser. The attack can be launched remotely, requiring no special privileges beyond the ability to craft and share a malicious link. The vulnerability lies within the WGG User List Handler component of the WangGuard Plugin.
Affected code
The vulnerability is located in the `wangguard_users_info` function within the `wangguard-user-info.php` file. Specifically, the manipulation of the `userIP` argument in the `$arrayUrl` array leads to the cross-site scripting flaw. The patch modifies this section by removing the `userIP` key from the `$arrayUrl`.
What the fix does
The patch removes the 'userIP' parameter from the `$arrayUrl` before it is used to construct the final URL. This prevents the user-supplied IP address from being directly embedded into the URL, thereby mitigating the cross-site scripting vulnerability. The change ensures that user input is not directly reflected in a way that could be interpreted as executable code by the browser.
Preconditions
- inputThe attacker must be able to manipulate the 'userIP' argument.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/joseconti/WangGuard/commit/88414951e30773c8d2ec13b99642688284bf3189mitrepatch
- github.com/joseconti/WangGuard/pull/14mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.