Download Ransomware Index Update Q1 2022
Back to all zero days

XSS Vulnerability in Blubrry PowerPress

Affected Vendor

Blubrry PowerPress




Sep 4, 2015

High Severity


A Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin NextGen Gallery before 6.0.4.

Proof of concept: (POC)

Visit the following page on a site with this plugin and modify the value of tab variable with "></script><script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input. It also affects the wp-config.php file, $table_prefix, and corrupts the database connectivity.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.


Issue 1: The Post Request tab variable in the URL http://localhost/wordpress/wp-admin/admin.php?page=powerpress/powerpressadmin_basic.php is vulnerable to Cross-Site Scripting (XSS).

Figure 01: Invalid HTTP script Request sent to the server through the vulnerable tab variable in the URL and its echoed back in the HTTP Response without validation.


An XSS vulnerability allows an attacker to inject malicious code into the applications via the images [1] [alttext] parameter.


Download the latest updated version of  Blubrry PowerPress Podcasting and apply the patch as per vendor advisory.


Sep 04, 2015: Discovered in Blubrry PowerPress Podcasting plugin 6.0.4 version.
Sep 04, 2015: Reported to WordPress.
Sep 07, 2015: The vendor acknowledged the issue.

Sep 09, 2015: Fixed in Blubrry PowerPress Podcasting plugin 6.0.5 version.

Discovered by

Cyber Security Works Pvt. Ltd.

  • Affected VendorBlubrry PowerPress
  • Bug NameCross-Site-Scripting (XSS)
  • CVE NumberCVE-2015-9410
  • CWE IDCWE - 79
  • CSW ID2015-CSW-09-1006
  • CVSSv3 Score5.4
  • Affected Version6.0.4
  • SeverityHigh
  • Affected ProductBlubrry PowerPress Podcasting
fb icon twitter icon insta icon

Talk to CSW's team of experts to secure your landscape.