Metamorfosec Security Advisory METS-2020-001 A Cross Site Scripting (XSS) in Sell Media Plugin v2.4.1 for WordPress FIRST PUBLISHED: Aug 12, 2020 VERSION: 1.0 VENDOR: Graph Paper Press (https://graphpaperpress.com/) PRODUCT: Sell Media VERSION AFFECTED: 2.4.1 (maybe prior versions also affected) CVE-ID: CVE-2019-6112 PRODUCT DESCRIPTION: (based on https://wordpress.org/plugins/sell-media/) Sell Media ia a WordPress plugin to sell photos, prints, and videos through your self-hosted WordPress site. FINDING: A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field). PROOF OF CONCEPT: [DOMAIN_NAME]/sell-media-search/?keyword="> MITIGATION: Update to v2.4.2 or newer ADVISORY TIMELINE: Jan 1, 2019 - Vulnerability found and sent first notification to Vendor (no response) Jan 3, 2019 - Vendor released patch in dev branch on GitHub Repository Jan 9, 2019 - Requested CVE-ID Jan 11, 2019 - Obtained CVE-ID (CVE-2019-6112, still RESERVED), sent second notification to Vendor, and Vendor responded that the issue has already fixed in dev branch on GitHub Repository Jul 16, 2019 - Vendor released v2.4.2 based on https://github.com/graphpaperpress/Sell-Media/commit/7b65e436e88c870f7c531db890d40f3491f09b9a#diff-eb6b6c90251ab33cee784713c451e6d8 Aug 12, 2020 - Published this Advisory and requested to publish CVE-2019-6112 REVISION HISTORY: Aug 12, 2020 - First release REFERENCES: 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6112 2. https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.