Visitors <= 0.3 – Unauthenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24350 | Plugin Vulnerabilities

Description

The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.

Proof of Concept

$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>"

The payload will be executed on the "visitors" page within the WordPress admin panel.

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mesut Cetin

Submitter

Mesut Cetin

Verified

Yes

WPVDB ID

06f1889d-8e2f-481a-b91b-3a8008e00ffc

Timeline

Publicly Published

2021-05-26 (about 2 years ago)

Added

2021-05-27 (about 2 years ago)

Last Updated

2021-07-11 (about 2 years ago)

Other

Published

Title

Published

2023-10-12

Title

WP ULike < 4.6.9 - Contributor+ Stored Cross Site Scripting via Shortcode

Published

2022-05-02

Title

Check & Log email < 1.0.6 - Reflected Cross-Site Scripting

Published

2021-12-14

Title

WooCommerce EnvioPack <= 1.2 - Reflected Cross-Site Scripting

Published

2024-04-12

Title

Carousel Slider < 2.2.10 - Editor+ Stored XSS

Published

2020-07-13

Title

Jetapo < 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)