WordPress Plugin Vulnerabilities

Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also use the lack of CSRF and capability checks to make a logged in administrator add the payload and make them perform further unwanted actions.

Proof of Concept

Affects Plugins

Plugin icon
custom-global-variables
Fixed in 1.1.1

References

Exploitdb
49406

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Swapnil Subhash Bodekar
Verified
Yes
WPVDB ID
0480b2e3-5b3d-4eaf-9496-6a135f7cf4c9

Timeline

Publicly Published
2021-01-11 (about 5 years ago)
Added
2021-01-11 (about 5 years ago)
Last Updated
2021-03-10 (about 4 years ago)

Other

Published
Title
Published
2024-04-15
Title
Shortcodes and extra features for Phlox theme < 2.15.6 - Contributor+ Stored XSS via Accordion Widget
Published
2018-11-02
Title
Event Calendar WD <= 1.1.21 - Cross-Site Scripting (XSS)
Published
2024-09-30
Title
Easy Load More <= 1.0.3 - Reflected Cross-Site Scripting
Published
2025-11-24
Title
Job Board by BestWebSoft < 1.2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage
Published
2025-03-03
Title
Quiz and Survey Master (QSM) < 9.2.1 - Author+ Stored XSS