Best Rating and Pageviews - Reflected XSS

Description

Best Rating and Pageviews 3.0.3 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/classes/system/class-brpv-statistics-page.php.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Best Rating and Pageviews 3.0.3. The following is the output of the tool:

Skims output

 31 | public function get_html_feeds_list() {
 32 | $brpvListTable = new BRPV_Statistics_WP_List_Table(); ?>
 33 | <form method=""get"">
> 34 | <input type=""hidden"" name=""page"" value=""<?php echo $_REQUEST['page'] ?>""/>
 35 | <input type=""hidden"" name=""brpv_form_id"" value=""brpv_wp_list_table"" />
 36 | <?php $brpvListTable->prepare_items(); $brpvListTable->display(); ?>
 37 | </form><?php // end get_html_feeds_list();
  38 |  }
     ^ Col 0

Our security policy

We have reserved the ID CVE-2025-31293 to refer to this issue from now on. Disclosure policy

System Information

• Product: Best Rating and Pageviews

• Version: 3.0.3

Mitigation

There is currently no patch available for this vulnerability.