WP Header Images < 2.0.1 - Reflected Cross-Site Scripting
Description
The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WP Header Images WordPress plugindescription
- Range: <2.0.1
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of the t parameter before output in the plugin's settings page allows reflected XSS."
Attack vector
An attacker crafts a URL containing a malicious payload in the `t` parameter and tricks an authenticated administrator into visiting it. The plugin's settings page outputs the value of the `t` parameter directly without sanitization or escaping, causing the attacker's JavaScript to execute in the context of the victim's WordPress admin session [ref_id=1]. This is a reflected cross-site scripting (XSS) attack [CWE-79].
Affected code
The advisory does not specify the exact file or function name, but the vulnerability is in the WP Header Images plugin's settings page, where the `t` parameter is echoed back without sanitization.
What the fix does
The advisory states the issue is fixed in version 2.0.1 of the WP Header Images plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly sanitizing and escaping the `t` parameter before outputting it in the settings page, preventing the injection of arbitrary HTML or JavaScript.
Preconditions
- inputThe attacker must be able to craft a URL with a malicious t parameter and deliver it to an authenticated WordPress administrator.
- authThe victim must be logged in to the WordPress admin panel and visit the crafted URL.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/58c9a007-42db-4142-b096-0b9ba8850f87mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.