WordPress Plugin Vulnerabilities

SupportCandy < 2.2.7 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Proof of Concept

[supportcandy page="init';alert(/XSS/)//"]

Affects Plugins

Plugin icon
supportcandy
Fixed in 2.2.7

References

CVE
CVE-2021-24880

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
09226067-0289-4d4f-9450-6f2c2ba058a0

Timeline

Publicly Published
2022-01-05 (about 2 years ago)
Added
2022-01-05 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2024-01-03
Title
CPT Bootstrap Carousel <= 1.12 - Reflected Cross-Site Scripting
Published
2023-08-02
Title
Front Editor <= 4.4.1 - Admin+ Stored XSS
Published
2023-01-19
Title
Camera slideshow <= 1.4.0.1 - Reflected Cross-Site Scripting
Published
2023-10-31
Title
Linker < 1.2.2 - Contributor+ Stored XSS
Published
2023-07-18
Title
ARMember (free and premium) - Admin+ Stored Cross-Site Scripting