Remove Footer Credit < 1.0.11 - Admin+ Stored Cross-Site Scripting
Description
The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper sanitization in Remove Footer Credit plugin before 1.0.11 allows high-privilege users to conduct XSS attacks.
Vulnerability
The Remove Footer Credit WordPress plugin (slug: visual-footer-credit-remover) versions before 1.0.11 fail to properly sanitize its settings. This allows users with high privileges (such as administrators) to inject arbitrary JavaScript, even when the unfiltered_html capability is disallowed [1].
Exploitation
An attacker with high-privilege access (e.g., admin) can inject malicious scripts through the plugin's settings. The attacker does not need unfiltered_html permission, as the plugin's insufficient sanitization bypasses this restriction. The attack requires the attacker to be logged in as an administrator and to save crafted input in the plugin settings [1].
Impact
Successful exploitation leads to Stored Cross-Site Scripting (XSS). The injected script executes in the context of the WordPress admin dashboard when other administrators view the settings page. This can result in session hijacking, defacement, or further compromise of the site [1].
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of April 11, 2025, due to a Guideline Violation [1]. No patched version is distributed. Users should immediately uninstall the plugin from their WordPress sites [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.0.11
Patches
1r2655918visual-footer-credit-removerThis plugin has been removed from the WordPress.org directory on 2025-04-11 (reason: Guideline Violation). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- plugins.trac.wordpress.org/changeset/2655918mitrex_refsource_CONFIRM
- wpscan.com/vulnerability/25a28adb-794f-4bdb-89e8-060296b45b38mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.