Turn off all comments <= 1.0 - Reflected Cross-Site Scripting
Description
The Turn off all comments WordPress plugin through 1.0 does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/Turn off all commentsdescription
- Range: <=1.0
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of the `rows` parameter before it is output back in an admin page."
Attack vector
An attacker can craft a malicious URL containing a `rows` parameter with JavaScript payload. When a logged-in administrator visits that URL, the unsanitized `rows` value is reflected back into the admin page, causing the attacker's script to execute in the context of the WordPress admin panel [ref_id=1]. This is a reflected Cross-Site Scripting (XSS) attack [CWE-79].
Affected code
The plugin does not sanitise or escape the `rows` parameter before outputting it back in an admin page [ref_id=1]. The advisory does not specify the exact file or function name, but the vulnerable parameter is processed in the plugin's admin-facing code.
What the fix does
The advisory states that no known fix is available for this plugin [ref_id=1]. The remediation would require the plugin developer to sanitize and escape the `rows` parameter before outputting it in the admin page, preventing arbitrary HTML or JavaScript from being injected.
Preconditions
- configThe target site must have the 'Turn off all comments' plugin (version 1.0 or earlier) installed and activated.
- authThe victim must be logged in as an administrator to the WordPress admin panel.
- inputThe attacker must trick the victim into clicking a crafted URL containing the malicious `rows` parameter.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/18660c71-5a89-4ef6-b0dd-7a166e3449d6mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.