CVE-2019-14470
Description
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) in Instagram-PHP-API library (used in UserPro WordPress plugin) via error_description parameter in example/success.php.
The vulnerability is a reflected cross-site scripting (XSS) issue in the cosenary Instagram-PHP-API library (also known as Instagram PHP API V2), which is bundled with the UserPro WordPress plugin through version 4.9.32 [2]. The flaw exists in the example/success.php file, where the $_GET['error_description'] parameter is output without proper sanitization or encoding [4]. This allows an attacker to inject arbitrary HTML or JavaScript code.
Exploitation requires no authentication; an attacker can craft a malicious URL containing the payload in the error_description parameter and trick a victim into clicking it [1]. The library’s example files are publicly accessible if the plugin is installed, making the attack surface straightforward.
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or defacement of the WordPress site [1].
Mitigation involves updating the UserPro plugin to a version beyond 4.9.32, or removing or securing the vulnerable example files. The upstream Instagram-PHP-API library itself has not been updated to address this issue, so users of any direct integration should sanitize input appropriately [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cosenary/instagramPackagist | <= 2.3 | — |
Affected products
4- cosenary/Instagram PHP API V2description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization in example/success.php directly echoes the unvalidated `$_GET['error_description']` parameter into the HTML response."
Attack vector
An attacker crafts a URL pointing to the Instagram library's `success.php` script and appends the `error` and `error_description` query parameters, placing a JavaScript payload in `error_description` [ref_id=2]. The script checks if `$_GET['error']` is set and, if so, echoes `$_GET['error_description']` directly into the HTML response without any sanitization [ref_id=2]. When a victim visits this crafted URL, the attacker's JavaScript executes in the context of the WordPress site, enabling theft of cookies, session tokens, or other sensitive data [CWE-79]. No authentication or special configuration is required; the attacker only needs to lure a logged-in user to the malicious link.
Affected code
The vulnerable code is in `example/success.php` (line 36) of the cosenary Instagram-PHP-API library. The script directly echoes the `$_GET['error_description']` parameter without sanitization when the `error` parameter is set [ref_id=2]. This library is bundled within the UserPro WordPress plugin (through version 4.9.32) at `wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php` [ref_id=2].
What the fix does
As of the exploit publication date (25 August 2019), the issue was unfixed [ref_id=2]. The advisory does not include a patch. To remediate, the `error_description` value must be properly escaped or encoded before being output in the HTML response, or the script should avoid directly reflecting user-supplied input. Site administrators using the UserPro plugin should apply any security updates from the vendor or remove the vulnerable example script from the production web root.
Preconditions
- configThe UserPro plugin (<= 4.9.32) must be installed and active on the WordPress site, which includes the vulnerable Instagram-PHP-API library.
- inputThe attacker must craft a URL with the `error` and `error_description` query parameters and deliver it to a victim.
- authThe victim must be logged into the WordPress site and click the crafted link.
- networkNo special network position is required; the attack is performed over HTTP/HTTPS.
Reproduction
1. Identify a WordPress site running the UserPro plugin version 4.9.32 or earlier. 2. Craft a URL pointing to the vulnerable script: `https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.exploit-db.com/exploits/47304ghsaexploitx_refsource_EXPLOIT-DBWEB
- github.com/advisories/GHSA-gcv6-2v9c-rj48ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-14470ghsaADVISORY
- packetstormsecurity.com/files/154206/WordPress-UserPro-4.9.32-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- github.com/cosenary/Instagram-PHP-API/blob/master/example/success.phpghsaWEB
- github.com/cosenary/Instagram-PHP-API/commits/mastermitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9815ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.