Persistent XSS via CSRF in WP Meta and Date Remover
During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.
Disclosure / Response Timeline:
- April 30 – Initial contact attempt
- May 07 – Patch is live
Are You at Risk?
This vulnerability requires some level of social engineering to be exploited.