cvedb.io
CVE-2020-28707
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2021-01-19T22:15:12.537 · Last modified 2026-07-09T01:16:42.847

Summary

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.

Affected products

stockdio — stockdio_historical_chart

Does this affect you?

Add your gear to cvedb and we'll alert you only when stockdio ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.