PCI scan fails due to cross site scripting vulnerability

  • I just failed a PCI scan with this result:

    Summary:
    Cross-site scripting vulnerability in domain parameter to /whois-lookup/

    Risk: High (3)
    Port: 80/tcp
    Protocol: tcp
    Threat ID: web_prog_cgi_xssgeneric

Viewing 3 replies - 1 through 3 (of 3 total)

  • We double checked and the claimed vulnerability does exist. We have directly notified the developer of plugin with more details of the issue.

    Which company’s PCI scanner detected that?

    Thread Starter franzengalaxy

    (@franzengalaxy)

    ControlScan
    It failed before (3 months ago), and I put in a fix. But then it wasn’t good enough and failed again today, so I put in another band-aid to get by. Being I don’t know all the possibilities, it may fail again next time…

    Considering that the plugin has some pretty serious coding issues in addition to the security issue, we wouldn’t recommend running it at this point, but WordPress’ documentation on sanitizing and escaping user input like this can be found here.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘PCI scan fails due to cross site scripting vulnerability’ is closed to new replies.