WordPress Plugin Vulnerabilities

SupportCandy < 2.2.7 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
supportcandy
Fixed in 2.2.7

References

CVE
CVE-2021-24880

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
09226067-0289-4d4f-9450-6f2c2ba058a0

Timeline

Publicly Published
2022-01-05 (about 3 years ago)
Added
2022-01-05 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-06-22
Title
WP eMember < 10.6.7 - Reflected XSS
Published
2016-07-26
Title
Woo Custom Checkout Field <= 1.3.4 - CSRF & Stored XSS
Published
2025-08-11
Title
Qi Blocks < 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-09-15
Title
Dflip Lite < 1.7.10 - Contributor+ Stored Cross-Site Scripting
Published
2025-04-09
Title
Request Call Back <= 1.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting