Your Medium Security Risks are Actually 'High' Risks In Disguise

So let me explain, in cybersecurity, we tend to triage by severity. We fix the "Criticals" and "Highs" immediately, while "Mediums" sit in…

Tyreek Haynes

MeetCyber

· ~2 min read · April 21, 2026 (Updated: April 21, 2026) · Free: Yes

So let me explain, in cybersecurity, we tend to triage by severity. We fix the "Criticals" and "Highs" immediately, while "Mediums" sit in the backlog for weeks. But as the recent penetration test of redacted.com shows, a chain of Medium risks can be just as damaging as a single High-severity finding.

The Lead Actor: DOM-based XSS (High)

The only "High" severity finding was a DOM-based Cross-Site Scripting vulnerability.

The Flaw: The site unsafely handles user input, specifically using element.innerHTML instead of safer alternatives.
The Proof: A simple image tag payload was enough to hijack the page title.
The Effort: Fixing this takes only 1–2 hours.

The "High" Risks in Disguise (The Mediums)

This is where the title comes to life. On their own, these findings might not seem urgent, but together they create a "perfect storm":

1. The Invisible Skeleton Key (Session Cookie Missing HttpOnly)

The Finding: The PHPSESSID cookie lacks the HttpOnly flag.
The Disguise: Rated as MEDIUM (CVSS 4.3), many developers might ignore this.
The Reality: Because this flag is missing, the XSS vulnerability can steal the user's session cookie via document.cookie. This turns a script injection into a total account takeover.

2. The Digital Map (WordPress User Enumeration)

The Finding: The /wp/v2/users API endpoint is public.
The Disguise: Rated as MEDIUM (CVSS 5.3).
The Reality: It leaked real names and usernames like "admin1" and "admin2345". Attackers now have half of the login credentials they need to start a brute-force attack.

3. The 13-Year-Old Liability (Outdated jQuery)

The Finding: The site uses jQuery 1.9.0, released in 2013.
The Disguise: Rated as MEDIUM (CVSS 5.3).
The Reality: It carries known vulnerabilities like CVE-2015–9251 (XSS) and CVE-2019–11358 (Prototype Pollution), providing even more ways for attackers to execute code.

Remediation: Closing the Gaps

The report concludes that the most critical fixes, stopping the XSS and securing the session cookies, can be done today.

The Fix: Switch to textContent or use DOMPurify to sanitize input.
The Configuration: Update php.ini to enforce session.cookie_httponly = 1.
The Shield: Implement a strong Content-Security-Policy (CSP) via .htaccess to block unauthorized scripts.

Closing Thought

The 'High' didn't take down this site. The Mediums did. Triage accordingly.

#cybersecurity #information-security #penetration-testing #xss-attack #infosec

< Go to the original