CVE-2018-9172

MEDIUM

Iptanus WordPress File Upload < 4.3.3 - Cross-Site Scripting via Shortcode Attributes

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9172. PoCs published by ManhNho.

AI-analyzed exploit summary This is a writeup describing a Stored XSS vulnerability in WordPress File Upload plugin version 4.3.2. The exploit involves injecting malicious JavaScript into the 'Plugin ID' field in the admin panel, which executes when accessed via Pages/Posts containing upload options.

Description

The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.

Exploits (1)

exploitdb WRITEUP

by ManhNho · textwebappsphp

https://www.exploit-db.com/exploits/44443

View Code ZIP pw:eip

This is a writeup describing a Stored XSS vulnerability in WordPress File Upload plugin version 4.3.2. The exploit involves injecting malicious JavaScript into the 'Plugin ID' field in the admin panel, which executes when accessed via Pages/Posts containing upload options.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress File Upload plugin 4.3.2

Auth required

Prerequisites: Admin access to WordPress panel · WordPress File Upload plugin 4.3.2 installed

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://www.iptanus.com/new-version-4-3-3-of-wordpress-file-upload-plugin/

Third Party Advisory x_refsource_confirm

https://wordpress.org/plugins/wp-file-upload/#developers

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44443/

Scores

CVSS v3 5.4

EPSS 0.0324

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

iptanus/wordpress_file_upload < 4.3.3

Published Apr 01, 2018

Tracked Since Feb 18, 2026