CVE-2020-27388
Description
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yourls/yourlsPackagist | >= 1.5, < 1.8 | 1.8 |
Affected products
2- YOURLS/Admin Paneldescription
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of plugin header values before display in the admin panel allows stored XSS."
Attack vector
An authenticated attacker with the ability to upload or modify PHP plugin files can inject malicious JavaScript payloads into plugin header fields such as Plugin Name, Plugin URI, or Description [ref_id=1]. When the YOURLS Admin Panel reads and displays these plugin headers, the unsanitized payload executes in the browser of any administrator viewing the plugin list [CWE-79]. The attacker must have valid admin credentials and the ability to write a PHP plugin file to the server's plugin directory.
Affected code
The vulnerability resides in `includes/functions-plugins.php` within the `yourls_get_plugin_data()` function. The function parses plugin file headers (Plugin Name, Plugin URI, Description, Version, Author, Author URI) but did not sanitize the values before returning them for display in the admin panel [patch_id=1703504].
What the fix does
The patch adds a call to `yourls_esc_html()` around the plugin header value in `yourls_get_plugin_data()` [patch_id=1703504]. Previously the code used `trim($matches[4])` directly; the fix wraps that with `yourls_esc_html(trim($matches[4]))`, which HTML-encodes special characters like `
Preconditions
- authAttacker must have valid admin credentials to the YOURLS instance
- inputAttacker must be able to upload or modify a PHP plugin file in the plugins directory
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-pwgg-r6fq-mf94ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-27388ghsaADVISORY
- yourls.commitrex_refsource_MISC
- yourls.orgghsaWEB
- github.com/YOURLS/YOURLS/commit/04495e8b17ffeedb695ef5a64389f6bee15d57fbghsaWEB
- github.com/YOURLS/YOURLS/pull/2761ghsax_refsource_MISCWEB
- github.com/YOURLS/YOURLS/pull/2761/commits/93396c14587ece4f3d7bcb654f6d22eb0bae7d74ghsaWEB
- johnjhacking.com/blog/cve-2020-27388ghsaWEB
- johnjhacking.com/blog/cve-2020-27388/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.