{"id":"CVE-2019-6112","details":"A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field).","modified":"2026-04-10T04:19:41.011020Z","published":"2020-08-14T14:15:12.287Z","references":[{"type":"ADVISORY","url":"https://metamorfosec.com/Files/Advisories/METS-2020-001-A_XSS_Vulnerability_in_Sell_Media_Plugin_v2.4.1_for_WordPress.txt"},{"type":"FIX","url":"https://github.com/graphpaperpress/Sell-Media/commit/8ac8cebf332e0885863d0a25e16b4b180abedc47#diff-f16fea0a0c8cc36031ec339d02a4fb3b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graphpaperpress/sell-media","events":[{"introduced":"0"},{"last_affected":"e29e5db5d8be59dcfdd032d8c559f5f21498cc24"},{"fixed":"8ac8cebf332e0885863d0a25e16b4b180abedc47"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.1"}]}}],"versions":["1.0.1","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1","1.2","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.9","1.3","1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.5","1.5.1","1.5.2","1.5.3","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6","1.6.1","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7","1.8.3","1.8.4","1.8.6","1.8.7","1.9","1.9.1","1.9.2","1.9.4","1.9.5","1.9.6","1.9.7","1.9.8","2.0","2.0-hotfix","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.2","2.2.1","2.2.10","2.2.11","2.2.12","2.2.3","2.2.4","2.2.6","2.2.7","2.2.8","2.2.9","2.3.1","2.3.2","2.3.5","2.4","2.4.1","settings-class"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-6112.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}