Computer Repair Shop < 2.0 - Authenticated Stored XSS


Computer Repair Shop is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. Fixed in version 2.0.

Proof of concept

The plugin’s options provided a basic HTML validation, which could be bypassed by copying + pasting malicious code into the text-field. The last character would be stripped from the code. After posting, malicious code could be executed by the browser.

Proof of concept video:

Plugin details

Plugin name: Computer Repair Shop
Plugin URL:
Plugin Author: WebfulCreations


  • Friday 10th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
  • Saturday 11th of january 2020: Vulnerability fixed by the author in version 2.0
  • Monday 13th of january 2020: Vulnerability made public on 

Jeroen Mulder

Webdeveloper based in the Netherlands