WP Reactions Lite < 1.3.6 – Authenticated Stored Cross Site Scripting | CVE 2021-24723 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.

Proof of Concept

* Open  Global Activation and Click on Customize Now
* On Step3 (StylingTab) >> Enter the XSS payload into "Whats your reaction" field
Payload Used : "><script>alert(document.location)</script>
* Click On Save and Exit Button and Alert will popup every time a Global Activation step is loaded.

Affects Plugins

wp-reactions-lite

Fixed in 1.3.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

Verified

Yes

WPVDB ID

0a46ae96-41e5-4b52-91c3-409f7387aecc

Timeline

Publicly Published

2021-09-28 (about 4 years ago)

Added

2021-09-28 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2022-02-10

Title

Social Media Feather < 2.0.5 - Admin+ Stored Cross-Site Scripting

Published

2023-04-19

Title

Social Share Boost < 4.5 - Contributor+ Stored XSS

Published

2024-09-27

Title

WP-DownloadManager < 1.68.9 - Reflected Cross-Site Scripting

Published

2025-01-03

Title

WP Smart Import : Import any XML File to WordPress < 1.1.3 - Reflected Cross-Site Scripting

Published

2025-12-11

Title

WPLG Default Mail From <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']