Shop Page WP < 1.2.8 – Admin+ Stored Cross-Site Scripting | CVE 2021-24811 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Add/edit a product and put the following payload in the Product Affiliate URL, Custom Button Text fields: "><img src onerror=alert(/XSS/)>
The Product Description field is also affected, with the following payload: </textarea><img src onerror=alert(/XSS/)>

The XSS will be triggered when viewing the Product in a page, or when editing the Product in the admin dashboard

Affects Plugins

Fixed in 1.2.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Submitter

Mika

Submitter website

https://mikadmin.fr/blog/

Submitter twitter

Verified

Yes

WPVDB ID

000e65f1-89cd-4dd5-a09d-5febd9fdfbdb

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2024-01-23

Title

SVG Uploads Support <= 2.1.1 - Author+ Stored XSS via SVG

Published

2024-10-21

Title

SVG Captcha <= 1.0.11 - Reflected Cross-Site Scripting

Published

2025-06-23

Title

WP Front User Submit / Front Editor < 4.9.4 - Reflected Cross-Site Scripting

Published

2026-01-15

Title

Simple Redirect <= 1.1 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Car Demon 1.0.1 - /wp-admin/post.php Multiple Parameter XSS