Page View Counts < 2.4.9 – Contributor+ Stored XSS | CVE 2021-24509 | Plugin Vulnerabilities

Description

The plugin does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

Proof of Concept

[pvc_stats postid='a" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)']

[pvc_stats postid='a" onmouseover="alert(origin)']

Affects Plugins

page-views-count

Fixed in 2.4.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

06df2729-21da-4c22-ae1e-dda1f15bdf8f

Timeline

Publicly Published

2021-07-12 (about 4 years ago)

Added

2021-07-12 (about 4 years ago)

Last Updated

2021-08-10 (about 4 years ago)

Other

Published

Title

Published

2024-05-28

Title

Fetch JFT < 1.8.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-04-14

Title

Electric Studio Client Login <= 0.8.1 - Admin+ Stored XSS

Published

2021-08-30

Title

Docket Cache < 21.08.02 - Reflected Cross-Site Scripting

Published

2023-10-16

Title

Minimum Purchase for WooCommerce <= 2.0.0.1 - Contributor+ Stored XSS

Published

2023-12-01

Title

Nested Pages < 3.2.7 - Admin+ Stored XSS