CVE-2019-14470
published 2019-09-04CVE-2019-14470: cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php…
PriorityP262medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
82.96%
99.6th percentile
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cosenary | 0 – 2.3 | — | |
| userproplugin | user_pro | <= 4.9.32 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=%3Csvg/onload=alert(1)%3E↗
- →Look for GET requests to the vulnerable success.php path with non-empty 'error' and 'error_description' query parameters — the error_description value is reflected unsanitized into the HTML response body. ↗
- →Confirm exploitation by matching the reflected XSS payload (e.g., <svg/onload=...>) in the HTTP response body with Content-Type: text/html and HTTP 200 status. ↗
- →Fingerprint affected WordPress installations by checking for the string '/wp-content/plugins/userpro/' in the homepage response before probing the vulnerable endpoint. ↗
- ·The vulnerability exists in the bundled Instagram PHP API example file (success.php), not in UserPro core code itself. The affected file is a vendor example script that should not be present in production deployments. ↗
- ·The XSS is reflected (not stored), requiring user interaction (UI:R) to trigger; exploitation depends on a victim clicking a crafted link. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cosenary Instagram-PHP-API contains reflected XSS vulnerability
ghsa·2022-05-24
CVE-2019-14470 [MEDIUM] Cosenary Instagram-PHP-API contains reflected XSS vulnerability
Cosenary Instagram-PHP-API contains reflected XSS vulnerability
cosenary Instagram-PHP-API (aka Instagram PHP API V2), used in the UserPro plugin through 4.9.32 for WordPress, is vulnerable to cross-site scripting via the [example/success.php](https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36
) error_description parameter.
Vulnerable code:
```php
if (isset($_GET['error'])) {
echo 'An error occurred: ' . $_GET['error_description'];
}
```
Proof-of-Concept:
`https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=`
OSV
Cosenary Instagram-PHP-API contains reflected XSS vulnerability
osv·2022-05-24
CVE-2019-14470 [MEDIUM] Cosenary Instagram-PHP-API contains reflected XSS vulnerability
Cosenary Instagram-PHP-API contains reflected XSS vulnerability
cosenary Instagram-PHP-API (aka Instagram PHP API V2), used in the UserPro plugin through 4.9.32 for WordPress, is vulnerable to cross-site scripting via the [example/success.php](https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36
) error_description parameter.
Vulnerable code:
```php
if (isset($_GET['error'])) {
echo 'An error occurred: ' . $_GET['error_description'];
}
```
Proof-of-Concept:
`https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=`
No detection rules found.
Exploit-DB
WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting
exploitdb·2019-08-26·CVSS 6.1
CVE-2019-14470 [MEDIUM] WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting
WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting
---
# Exploit Title: UserPro https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36
Proof-of-Concept:
https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=
Nuclei
WordPress UserPro 4.9.32 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-14470 [MEDIUM] WordPress UserPro 4.9.32 - Cross-Site Scripting
WordPress UserPro 4.9.32 - Cross-Site Scripting
WordPress UserPro 4.9.32 is vulnerable to reflected cross-site scripting because the Instagram PHP API (v2) it relies on allows it via the example/success.php error_description parameter.
Template:
id: CVE-2019-14470
info:
name: WordPress UserPro 4.9.32 - Cross-Site Scripting
author: daffainfo
severity: medium
description: WordPress UserPro 4.9.32 is vulnerable to reflected cross-site scripting because the Instagram PHP API (v2) it relies on allows it via the example/success.php error_description parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive in
http://packetstormsecurity.com/files/154206/WordPress-UserPro-4.9.32-Cross-Site-Scripting.htmlhttps://github.com/cosenary/Instagram-PHP-API/commits/masterhttps://wpvulndb.com/vulnerabilities/9815https://www.exploit-db.com/exploits/47304http://packetstormsecurity.com/files/154206/WordPress-UserPro-4.9.32-Cross-Site-Scripting.htmlhttps://github.com/cosenary/Instagram-PHP-API/commits/masterhttps://wpvulndb.com/vulnerabilities/9815https://www.exploit-db.com/exploits/47304
2019-09-04
Published