cbcvebase.
CVE-2019-14470
published 2019-09-04

CVE-2019-14470: cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php…

PriorityP262medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
82.96%
99.6th percentile
cosenary Instagram-PHP-API (aka Instagram PHP API V2), as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php error_description parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
cosenaryinstagram0 – 2.3
userpropluginuser_pro<= 4.9.32

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php
url{{BaseURL}}/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=%3Csvg/onload=alert(1)%3E
  • Look for GET requests to the vulnerable success.php path with non-empty 'error' and 'error_description' query parameters — the error_description value is reflected unsanitized into the HTML response body.
  • Confirm exploitation by matching the reflected XSS payload (e.g., <svg/onload=...>) in the HTTP response body with Content-Type: text/html and HTTP 200 status.
  • Fingerprint affected WordPress installations by checking for the string '/wp-content/plugins/userpro/' in the homepage response before probing the vulnerable endpoint.
  • ·The vulnerability exists in the bundled Instagram PHP API example file (success.php), not in UserPro core code itself. The affected file is a vendor example script that should not be present in production deployments.
  • ·The XSS is reflected (not stored), requiring user interaction (UI:R) to trigger; exploitation depends on a victim clicking a crafted link.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.