Persistent XSS via CSRF in WP Meta and Date Remover

Persistent XSS via CSRF in WP Meta and Date RemoverDuring regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.

Disclosure / Response Timeline:

  • April 30 – Initial contact attempt
  • May 07 – Patch is live

Are You at Risk?

This vulnerability requires some level of social engineering to be exploited.

Continue reading Persistent XSS via CSRF in WP Meta and Date Remover at Sucuri Blog.

Source: Scuri check