WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The plugin is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.

Proof of Concept

$ curl -i http://localhost:10008/ --user-agent "</script><script>alert(1)</script>"

The payload will be executed on the "visitors" page within the WordPress admin panel.

Affects Plugins

visitors-app
No known fix - plugin closed

References

CVE
CVE-2021-24350

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Mesut Cetin

Submitter

Mesut Cetin

Verified

Yes

WPVDB ID
06f1889d-8e2f-481a-b91b-3a8008e00ffc

Timeline

Publicly Published

2021-05-26 (about 12 months ago)

Added

2021-05-27 (about 12 months ago)

Last Updated

2021-07-11 (about 10 months ago)

Our Other Services

WPScan WordPress Security Plugin