WordPress Plugin Vulnerabilities

Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues.

Notes (WPScanTeam)
- The original reporter mentioned the issue being fixed in 2.10.2, but we could still trigger it with the same payload in this version, as well as the latest 2.10.3. Vendor was notified about it
- April 29th, 2021 - v2.10.4 released, fixing the issue

Proof of Concept

Affects Plugins

Plugin icon
give
Fixed in 2.10.4

References

CVE
CVE-2021-24315
URL
https://m0ze.ru/vulnerability/%5B2021-04-02%5D-%5BWordPress%5D-%5BCWE-79%5D-GiveWP-WordPress-Plugin-v2.10.3.txt
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
m0ze
Verified
Yes
WPVDB ID
006b37c9-641c-4676-a315-9b6053e001d2

Timeline

Publicly Published
2021-04-30 (about 4 years ago)
Added
2021-04-30 (about 4 years ago)
Last Updated
2021-05-17 (about 4 years ago)

Other

Published
Title
Published
2025-01-06
Title
Beacon Lead Magnets and Lead Capture < 1.5.8 - Reflected Cross-Site Scripting
Published
2025-07-30
Title
WPFunnels < 3.5.27 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-04-10
Title
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
Published
2022-07-18
Title
Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting
Published
2017-02-07
Title
XO Security < 1.5.3 - XSS