Sign-up Sheets < 2.2.13 - Reflected XSS

An attacker crafts a malicious URL containing JavaScript payloads in the request URI or in plugin-generated URL parameters. When a victim visits this crafted URL on a site running the vulnerable Sign-up Sheets plugin (before 2.2.13), the plugin outputs the unescaped $_SERVER['REQUEST_URI'] value or generated URLs directly into HTML attributes [ref_id=1]. The injected script executes in the victim's browser context, allowing the attacker to steal cookies, redirect the user, or perform other client-side attacks. No authentication is required; the attack is triggered simply by the victim clicking the crafted link [CWE-79].

The advisory does not specify exact file paths or function names within the Sign-up Sheets plugin. The vulnerability exists in code paths that output generated URLs and the $_SERVER['REQUEST_URI'] value into HTML attributes without proper escaping [ref_id=1].

The advisory states the vulnerability is fixed in version 2.2.13 of the Sign-up Sheets plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly escaping generated URLs and the $_SERVER['REQUEST_URI'] value with WordPress escaping functions (e.g., esc_url() or esc_attr()) before outputting them in HTML attributes. This prevents attacker-controlled input from being interpreted as executable JavaScript.

The advisory at [ref_id=1] states a proof of concept exists but does not include the specific PoC steps in the extracted text. No reproduction steps are available in the bundle.